Compliance of RFC 7427 - Signature Authentication in IKEv2

From Libreswan
Revision as of 00:06, 28 August 2017 by Sahana Prasad (talk | contribs) (Created page with "Project Statement and description: Currently in IKEv2, signature based authentication is per algorithm i.e., there is one for RSA digital signatures, one for DSS digital sign...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Project Statement and description:

Currently in IKEv2, signature based authentication is per algorithm i.e., there is one for RSA digital signatures, one for DSS digital signatures (using SHA-1), and three for different ECDSA curves, each tied to exactly one hash algorithm.This design is cumbersome when more signature algorithms, hash algorithms, and elliptic curves need to be supported. 

        RFC 7427 generalizes IKEv2 signature support to allow any signature method supported by PKIX and also adds signature hash algorithm negotiation.

Why is it important for libreswan and what problem does it solve? 

     Currently Libreswan only supports RSA as  the digital signature authentication method. Therefore there exists a need for extension so that other methods, such as ECDSA or EDDSA  which can be used easily. Implementation of RFC 7427 would solve this problem as the new digital signature method is flexible enough to include all current signature methods (RSA, DSA, ECDSA, RSASSA-PSS, etc.) and add new methods (ECGDSA, ElGamal, etc.) in the future.


I strongly believe that anonymity and data privacy on the internet should be made available for everyone. I want to solve this problem and make the internet more secure. To achieve this, I am taking part in the Google Summer of Code global challenge (May 30th - August 29th,2017). This program enables students to learn about open source development. I chose to collaborate with Libreswan. Libreswan is a free software implementation of the most widely supported and standardized VPN protocol based on IP Security and the Internet Key Exchange (IKE). These standards have been created and are still maintained at the Internet Engineering Task Force (IETF). My task is to implement the RFC-7427 (https://tools.ietf.org/html/rfc7427) on Libreswan software. RFC-7427 deals with Signature Authentication on the Internet. Currently on the Internet there are two problems: The sending and receiving parties do not know which Hash algorithm is used to generate a signature. Each time there is a new Signature algorithm, a new Authentication method is required. This becomes cumbersome. To solve this, RFC-7427 provides a nice way to negotiate which Hash algorithms are to be used by the sender and receiver. It also generalizes an Authentication method that allows any Signature algorithms that are supported by the Public Key Infrastructure. If Libreswan is RFC-7427 compliant, then the thousands of users using its VPN service would be more secure.

Retrieved from "https://libreswan.org/wiki/index.php?title=Compliance_of_RFC_7427_-_Signature_Authentication_in_IKEv2&oldid=21059"