On Sun, July 22, 2012 6:53 am, Yoav Nir wrote: > > With ECDSA, the hashes are the same sizes as the signatures, so there's no > room within the signature to encode the hash algorithm. You need to know > what it is by some other means. So they chose to encode it using the AUTH > method. Not very economical in terms of protecting the scarce resource of > auth methods.
Actually that's not true. The length of the digest of the hash algorithm is not the same as the length of the prime of the curve (what I think you mean by the "same size as the signatures" since the the signature is R|S). X9.62 says that the length of the digest of the hash is a kind of low-water mark of the desired security level. If the digest is larger than the length of the prime then you're supposed to take the left-most length-of-prime bits of the digest and use that to compute "s". And this points out to another unfortunate design decision of IKEv2. Instead of negotiating a fundamental cryptographic primitive like a hash function, it negotiates a derivative construct like a PRF. So instead of being able to use the negotiated hash function to compute an ECDSA signature we're forced to eat through the "scarce resource" of the authentication method registry. Very clumsy, very hackish, very unfortunate. Dan. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec