Dan Harkins writes: > FIPS 186-3 (The Digital Signature Algorithm) specifies that security > strength levels of DSA are a minimum of the security strength of the > hash algorithm and the (L,N) pair from the domain parameter set. If > one wished to achieve a security strength level with DSA that would > be valid, according to NIST, "beyond 2030" one would need to use > SHA-512 but IKEv2 only uses SHA-1 with "DSS Digital Signature" > (authentication method value of 3) so that wouldn't work.
That SHA-1 text is leftover from the RFC4306 and from the IKEv1, i.e. when the only supported DSS was the one using SHA-1. The RFC5996 did update from the 1994 FIPS 186 to draft FIPS 186-3 but that comment about SHA-1 did not get removed. On the other hand I would expect most of the implementations ignore that comment, and go with the actual DSS documentation when using DSS signatures, and use the hashes defined in there. This is one of those cases where, when that text was added it seemed to help understanding the issue, as SHA-1 was the only allowed hash function for DSS, but with updated documents with later references, that comment came misleading but did not get removed.. > So to actually address this in the hash-specific canonical way > requires new auth methods for different permutations of DSS with > SHA-224, SHA-256, SHA-384, and SHA-512 as well as different > permutations of ECDSA with brainpool curves using the 5 different > SHA varients. But this is getting, as you say, "cumbersome". So you are saying that each DSS even with ECDSA do require to tell what hash function is used separately? I have assume that when I do get DSA public key in the certificate, and know the length of the DSA key, I can know which hash function is used when using that key? But if I am mistaken, then we might need to add extra DSS methods too (but lets not add them to IKEv1, as I do not want new modifications to IKEv1. IKEv1 does this same way than IKEv2 does, i.e. it assumes you know which hash function is used with DSS and ignores the negotiated hash function when using DSS). Note, that there is no MUSTs or anything like that in the RFC5996 saying you MUST use SHA-1, it is just statement that DSS as defined in year 1994 version used SHA-1. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
