Re: [IPsec] Question about ECDSA cert usage for IKEv2 auth

Thu, 22 Dec 2011 13:35:27 -0800 

On Dec 22, 2011, at 9:07 PM, Gaurav Poothia wrote:

Hello,
The basic IKEv2 cert auth mechanism for RSA (from RFC 5996) seems to be to hash 
using SHA-1 before signing.

However when using ECDSA certs for IKEv2 I am trying to make sure I am reading 
RFC 4754 correctly when it says the following:
“Moreover, ECDSA cannot be specified for IKEv2
   independently of an associated hash function since IKEv2 does not
   have a transform type for hash functions.  For this reason, it is
   necessary to specify the hash function as part of the signature
   algorithm.  Furthermore, the elliptic curve group must be specified
   since the choice of hash function depends on it as well.  As a
   result, it is necessary to specify three signature algorithms, named
   ECDSA-256, ECDSA-384, and ECDSA-521.  Each of these algorithms
   represents an instantiation of the ECDSA algorithm using a particular
   elliptic curve group and hash function.  The three hash functions are
   specified in [SHS].  For reasons of consistency, this document
   defines the signatures for IKE in the same way.

        Digital
       Signature
       Algorithm            Elliptic Curve Group        Hash Function
      -----------        --------------------------    ---------------
       ECDSA-256          256-bit random ECP group        SHA-256
       ECDSA-384          384-bit random ECP group        SHA-384
       ECDSA-521          521-bit random ECP group        SHA-512”

Does this mean we proceed just like RSA here but hash with SHA-256 and not 
SHA-1 for ECDSA-256 cert and then proceed to sign as usual.
Similarly use SHA-384 and SHA-512 for ECDSA-384 and ECDSA-521 respectively.
Is that the correct reading of this excerpt?

Hi Gaurav

This is pretty much correct. With ECDSA you first hash with the specified hash 
function, and then sign the hash with the ECDSA group. Note how the numbers 
almost match up, so the size of the has is exactly the size of the buffer to be 
signed.

This is different from RSA, where the hash is much shorter than the buffer to 
be signed. Even the longest hash anyone uses has only a 512-bit output, while 
1024-bit signatures are considered too short these days, and 512-bit signatures 
are apparently grounds for blacklisting a CA. With RSA you use the 
RSASSA-PKCS1-v1_5 signature scheme, and that includes an identifier for the 
hash algorithm, so you can use any hash you want.

Hope this helps

Yoav




_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to