On Dec 22, 2011, at 9:07 PM, Gaurav Poothia wrote: Hello, The basic IKEv2 cert auth mechanism for RSA (from RFC 5996) seems to be to hash using SHA-1 before signing.
However when using ECDSA certs for IKEv2 I am trying to make sure I am reading RFC 4754 correctly when it says the following: “Moreover, ECDSA cannot be specified for IKEv2 independently of an associated hash function since IKEv2 does not have a transform type for hash functions. For this reason, it is necessary to specify the hash function as part of the signature algorithm. Furthermore, the elliptic curve group must be specified since the choice of hash function depends on it as well. As a result, it is necessary to specify three signature algorithms, named ECDSA-256, ECDSA-384, and ECDSA-521. Each of these algorithms represents an instantiation of the ECDSA algorithm using a particular elliptic curve group and hash function. The three hash functions are specified in [SHS]. For reasons of consistency, this document defines the signatures for IKE in the same way. Digital Signature Algorithm Elliptic Curve Group Hash Function ----------- -------------------------- --------------- ECDSA-256 256-bit random ECP group SHA-256 ECDSA-384 384-bit random ECP group SHA-384 ECDSA-521 521-bit random ECP group SHA-512” Does this mean we proceed just like RSA here but hash with SHA-256 and not SHA-1 for ECDSA-256 cert and then proceed to sign as usual. Similarly use SHA-384 and SHA-512 for ECDSA-384 and ECDSA-521 respectively. Is that the correct reading of this excerpt? Hi Gaurav This is pretty much correct. With ECDSA you first hash with the specified hash function, and then sign the hash with the ECDSA group. Note how the numbers almost match up, so the size of the has is exactly the size of the buffer to be signed. This is different from RSA, where the hash is much shorter than the buffer to be signed. Even the longest hash anyone uses has only a 512-bit output, while 1024-bit signatures are considered too short these days, and 512-bit signatures are apparently grounds for blacklisting a CA. With RSA you use the RSASSA-PKCS1-v1_5 signature scheme, and that includes an identifier for the hash algorithm, so you can use any hash you want. Hope this helps Yoav
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec