Extend RFC-7427 Signature Authentication support to IKEv2 with ECDSA
Introduction
As part of Google summer of Code work in 2017 described in , RFC-7427 Digital Signature Authentication was implemented with support for RSA. This work is an extension to support ECDSA. Implementation of ECDSA requires the modification of the existing Libreswan public key code to fix the RSA only parts so that it is able to accept different new types of keys in the future ( not just limited to ECDSA ). This will ensure compliance to RFC-7427 and RFC-8247.
Implementation
To make Libreswan RFC 7427 compliant, the following items have been implemented :
1. Hash Algorithm Notification
Notify payload of type SIGNATURE_HASH_ALGORITHMS is sent inside the IKE_SA_INIT exchange. The supported hash algorithms like SHA1, SHA2 and IDENTITY are exchanged by the initiator and responder in this notify payload. The negotiated hash algorithm is the one that is supported by both parties. This hash algorithm is used to generate the signature sent in the Authentication payload. The decision of sending the Hash Algorithm notification when Libreswan is the initiator is based on checking which Signature algorithm is configured in the "authby" parameter in ipsec.conf. When Libreswan is the responder, it responds with a hash algorithm notification only if it has received one and SHA-1 was sent in it.
2. Authentication payload
A new Authentication Method called Digital Signature is sent in the IKE_AUTH message exchange. Earlier, the Authentication Data field inside the Authentication payload contained only the signature value. Now, the signature value is prefixed with an ASN.1 object indicating the algorithm used to generate the signature. The ASN.1 object contains the algorithm identification OID, which identifies both the signature algorithm and the hash algorithm used for calculating the signature. IANA registry specifies the values to be used. The initial Digital Signature Authentication method implementation for Libreswan only includes support for the RSA with SHA-1 hash algorithm.
The following items are not yet implemented :
- Support for Signature Algorithms ECDSA and RSASSA-PSS
- Support for Hash Algorithm SHA-2
3. Test Suite changes
The Test Suite was extended by adding test cases to verify feature functionality and perform interoperability tests. Negative tests cases were added using impairments that emulate clients that do not support the Digital Signature Authentication scheme as specified by the RFC 7427, to confirm connectivity with clients not supporting the new Authentication Method.
Issues encountered
The RFC 4307bis mandates the usage of RSASSA-PSS along with Digital Signature Authentication. However the older flavour PKCS v1.5 may still be supported. But a way to indicate to the peer, which flavour of RSA should be used is not yet described. Since no other client supports RSASSA-PSS, interoperability tests cannot be performed.
Future work
- Support for Signature algorithms ECDSA and RSASSA-PSS
Implementation of ECDSA requires the extension of the Libreswan's public key code to remove the hardwiring for RSA. Implementation of RSASSA-PSS would have to use different NSS library method call. The implementation is waiting for RFC 4307bis to clarify the usage of PSS.
- Support for Hash algorithm SHA-2.
SHA2 needs an extended parser for the authby = keyword, in ipsec.conf.
Source code
Addition and modification of test cases
This project work was sponsored by Google as part of the Google Summer of Code 2017 Program. The implementation for this project is done by Sahana Prasad (sahana.prasad07@gmail.com) under the tutelage of Paul Wouters.