On Sun, November 1, 2015 7:21 pm, Yoav Nir wrote: > >> On 2 Nov 2015, at 11:44 AM, Paul Wouters <p...@nohats.ca> wrote: >> >> On Mon, 2 Nov 2015, Yoav Nir wrote: >> >>> P.S. Someoneâs asked me off-list whether there is any IPsecME >>> document that says not to trust SHA-1 in signatures, both AUTH payload >>> and certificates, the way the TLS 1.3 document may end up saying for >>> TLS. Iâm wondering if RFC4307bis might be the place for this, in >>> particular the signature in AUTH payload. Just something to think about >>> before we bikeshed.RFC4307bis Bikeshedding Session. >> >> We should have text to clarify the difference of algorithm use in >> IKE/IPsec and in AUTH processing. Initial thought is that AUTH >> processing crypto restrictions don't beling in 4307bis. > > I think we do need some kind of statement along the lines: > - With RSA signatures, use SHA-256 or better, not SHA-1 (BTW: 7296 says > âSHOULD use SHA-1â and this is a document from only last yearâ¦) > - Donât use DSS because that is only defined with SHA-1. > - With ECDSA no need to specify because each curve comes with a hash
Do you mean each _signature_ comes with a hash because you can use different hash algorithms to sign with any given curve. X9.62 in section 7.3, under Actions subsection e sub 1, even specifies what to do if the hash function used in the signature produces a digest that is greater than the length of the prime used in the curve definition-- namely, take the left-most length of prime bits of the digest to construct intermediate variable E. Dan. > - PSK is fine because you are using a PRF. > - With anything else, donât use any hash weaker than SHA-256. > > If not here, where does this advice go? > > Yoav > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
