Compliance of RFC 7427 - Signature Authentication in IKEv2

From Libreswan
Revision as of 00:13, 28 August 2017 by Sahana Prasad (talk | contribs)
Jump to navigation Jump to search

Currently in Internet Key Exchange version 2 (IKEv2), signature based authentication is per algorithm i.e., there is one for RSA digital signatures, one for DSS digital signatures (using SHA-1), and three for different ECDSA curves, each tied to exactly one hash algorithm. This leads to 2 problems:

1.The sending and receiving parties do not know which Hash algorithm is used to generate a signature. 2.Each time there is a new Signature algorithm, a new Authentication method is required.

Therefore this design is cumbersome when more signature algorithms, hash algorithms, and elliptic curves need to be supported.

RFC 7427 solves these problems by generalising the IKEv2 signature support to allow any signature method supported by PKIX and also adds signature hash algorithm negotiation. RFC 7427 recommends a new digital signature method is flexible to include all current signature methods (RSA, DSA, ECDSA, RSASSA-PSS, etc.) and add new methods (ECGDSA, ElGamal, etc.) in the future.



Future work : Currently Libreswan only supports RSA as the digital signature authentication method. It needs to be enhanced

Retrieved from "https://libreswan.org/wiki/index.php?title=Compliance_of_RFC_7427_-_Signature_Authentication_in_IKEv2&oldid=21062"