> On 3 Nov 2015, at 10:48 AM, Dan Harkins <dhark...@lounge.org> wrote: > > > > On Sun, November 1, 2015 7:21 pm, Yoav Nir wrote: >> >>> On 2 Nov 2015, at 11:44 AM, Paul Wouters <p...@nohats.ca> wrote: >>> >>> On Mon, 2 Nov 2015, Yoav Nir wrote: >>> >>>> P.S. Someoneâs asked me off-list whether there is any IPsecME >>>> document that says not to trust SHA-1 in signatures, both AUTH payload >>>> and certificates, the way the TLS 1.3 document may end up saying for >>>> TLS. Iâm wondering if RFC4307bis might be the place for this, in >>>> particular the signature in AUTH payload. Just something to think about >>>> before we bikeshed.RFC4307bis Bikeshedding Session. >>> >>> We should have text to clarify the difference of algorithm use in >>> IKE/IPsec and in AUTH processing. Initial thought is that AUTH >>> processing crypto restrictions don't beling in 4307bis. >> >> I think we do need some kind of statement along the lines: >> - With RSA signatures, use SHA-256 or better, not SHA-1 (BTW: 7296 says >> âSHOULD use SHA-1â and this is a document from only last yearâ¦) >> - Donât use DSS because that is only defined with SHA-1. >> - With ECDSA no need to specify because each curve comes with a hash > > Do you mean each _signature_ comes with a hash because you can > use different hash algorithms to sign with any given curve. X9.62 in > section 7.3, under Actions subsection e sub 1, even specifies what > to do if the hash function used in the signature produces a digest > that is greater than the length of the prime used in the curve > definition-- namely, take the left-most length of prime bits of the > digest to construct intermediate variable E.
X9.62 allows it, but IKEv2 does not. See the IKEv2 Authentication Method table at http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-12 There is 1 for “RSA Digital Signature” and you can encode any hash function the you would like, but for ECDSA there is: 9 - ECDSA with SHA-256 on the P-256 curve 10 - ECDSA with SHA-384 on the P-384 curve 11 - ECDSA with SHA-512 on the P-521 curve So unless you go by RFC 7427, you can’t mix and match. Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
