On Thu, 17 Nov 2016, Watson Ladd wrote:
Yes, with RSA I think it might be quite common for people to use same
key for both RSA PKCS#1 v1.5 and RSA-PSS, and there is not really
anything we can do for that.
On the other hand the interoperability issue we have now does not
really care whether you have one or two RSA private keys, as long as
initiator can use either RSA-PSS or RSA PKCS#1 v1.5, and do not know
which one responder will accept.
What about the approach of treating these as different authentication
methods? Or am I misunderstanding the scope of the problem? I'm not
that familiar with IKE2.
The AUTH signature include data that is unique to each connection. For
IKEv2, both sides generate a randomized SPI number that is included in
the data to sign as well as a nonce. So an attacker would have to trick
an endpoint in using one RSA version and then resend the IKE_AUTH packet
to try and do the other RSA version. It's not allowed by protocol AFAIK.
https://tools.ietf.org/html/rfc7296#section-2.15
So I don't think it is a concern, but I think we should indeed look at
TLS as well, and agree on whether or not to use a context.
Paul
I think we might want to add text in the rfc4307bis saying that same
key should not be used with both RSA-PSS and PKCS#1 v1.5.
The rfc4307bis will be in IETF Last Call soon, so if you can read that
and see what it says about the signature algorithms and see if there
is something we need to add there, that would be great.
I will look over it.
--
kivi...@iki.fi
--
"Man is born free, but everywhere he is in chains".
--Rousseau.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
