diff options
Diffstat (limited to 'doc/rfc/rfc9593.txt')
-rw-r--r-- | doc/rfc/rfc9593.txt | 628 |
1 files changed, 628 insertions, 0 deletions
diff --git a/doc/rfc/rfc9593.txt b/doc/rfc/rfc9593.txt new file mode 100644 index 0000000..70ff740 --- /dev/null +++ b/doc/rfc/rfc9593.txt @@ -0,0 +1,628 @@ + + + + +Internet Engineering Task Force (IETF) V. Smyslov +Request for Comments: 9593 ELVIS-PLUS +Category: Standards Track July 2024 +ISSN: 2070-1721 + + +Announcing Supported Authentication Methods in the Internet Key Exchange + Protocol Version 2 (IKEv2) + +Abstract + + This specification defines a mechanism that allows implementations of + the Internet Key Exchange Protocol Version 2 (IKEv2) to indicate the + list of supported authentication methods to their peers while + establishing IKEv2 Security Associations (SAs). This mechanism + improves interoperability when IKEv2 partners are configured with + multiple credentials of different types for authenticating each + other. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + https://www.rfc-editor.org/info/rfc9593. + +Copyright Notice + + Copyright (c) 2024 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (https://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Revised BSD License text as described in Section 4.e of the + Trust Legal Provisions and are provided without warranty as described + in the Revised BSD License. + +Table of Contents + + 1. Introduction + 2. Terminology and Notation + 3. Protocol Details + 3.1. Exchanges + 3.2. SUPPORTED_AUTH_METHODS Notify Message Type + 3.2.1. 2-Octet Announcement + 3.2.2. 3-Octet Announcement + 3.2.3. Multi-octet Announcement + 4. Interaction with IKEv2 Extensions concerning Authentication + 5. IANA Considerations + 6. Security Considerations + 7. References + 7.1. Normative References + 7.2. Informative References + Appendix A. Examples of Announcing Supported Authentication + Methods + A.1. No Need to Use the IKE_INTERMEDIATE Exchange + A.2. With Use of the IKE_INTERMEDIATE Exchange + Acknowledgments + Author's Address + +1. Introduction + + The Internet Key Exchange Protocol Version 2 (IKEv2), defined in + [RFC7296], performs authenticated key exchange in IPsec. IKEv2, + unlike its predecessor IKEv1, defined in [RFC2409], doesn't include a + mechanism to negotiate an authentication method that the peers would + use to authenticate each other. It is assumed that each peer selects + whichever authentication method it thinks is appropriate, depending + on authentication credentials it has. + + This approach generally works well when there is no ambiguity in + selecting authentication credentials. SA establishment failure + between peers may occur when there are several credentials of + different types configured on one peer, while only some of them are + supported on the other peer. Another problem situation is when a + single credential may be used to produce different types of + authentication tokens (e.g., signatures of different formats). Since + IKEv2 requires that each peer use exactly one authentication method, + and it doesn't provide means for peers to indicate to the other side + which authentication methods they support, the peer that supports a + wider range of authentication methods (or authentication token + formats) could improperly select a method (or format) that is not + supported by the other side. + + Emerging post-quantum signature algorithms may bring additional + challenges for implementations, especially if so-called hybrid + schemes are used (e.g., see [COMPOSITE-SIGS]). + + This specification defines an extension to the IKEv2 protocol that + allows peers to announce their supported authentication methods, thus + decreasing risks of SA establishment failure in situations when there + are several ways for the peers to authenticate themselves. + +2. Terminology and Notation + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. + +3. Protocol Details + + When establishing an IKE SA, each party may send to its peer a list + of the authentication methods it supports and is configured to use. + For this purpose, this specification introduces a new Notify Message + Type SUPPORTED_AUTH_METHODS. The Notify payload with this Notify + Message Type is utilized to convey the supported authentication + methods of the party sending it. The sending party may additionally + specify that some of the authentication methods are only for use with + the particular trust anchors. The receiving party may take this + information into consideration when selecting an algorithm for its + authentication (i.e., the algorithm used for calculation of the AUTH + payload) if several alternatives are available. To simplify the + receiver's task of linking the announced authentication methods with + the trust anchors, the protocol ensures that the + SUPPORTED_AUTH_METHODS notification is always co-located with the + CERTREQ payload in the same message. + +3.1. Exchanges + + The initiator starts the IKE_SA_INIT exchange as usual. If the + responder is willing to use this extension, it includes a new + notification SUPPORTED_AUTH_METHODS in the IKE_SA_INIT response + message. This notification contains a list of authentication methods + supported by the responder, ordered by their preference. + + Initiator Responder + ----------- ----------- + HDR, SAi1, KEi, Ni --> + <-- HDR, SAr1, KEr, Nr, [CERTREQ,] + [N(SUPPORTED_AUTH_METHODS)(...)] + + Figure 1: The IKE_SA_INIT Exchange + + If the initiator doesn't support this extension, it ignores the + received notification as an unknown status notify. + + Regardless of whether the notification is received, if the initiator + supports and is willing to use this extension, it includes the + SUPPORTED_AUTH_METHODS notification in the IKE_AUTH request message, + with a list of authentication methods supported by the initiator, + ordered by their preference. + + Initiator Responder + ----------- ----------- + HDR, SK {IDi, [CERT,] [CERTREQ,] + [IDr,] AUTH, SAi2, TSi, TSr, + [N(SUPPORTED_AUTH_METHODS)(...)] } --> + <-- HDR, SK {IDr, [CERT,] + AUTH, SAr2, TSi, TSr } + + Figure 2: The IKE_AUTH Exchange + + Because the responder sends the SUPPORTED_AUTH_METHODS notification + in the IKE_SA_INIT exchange, it must take into account that the + response message could grow so much that the IP fragmentation might + take place. + + * the SUPPORTED_AUTH_METHODS notification to be included is so + large, that the responder suspects that IP fragmentation of the + resulting IKE_SA_INIT response message may happen; + + * both peers support the IKE_INTERMEDIATE exchange, defined in + [RFC9242] (i.e., the responder has received and is going to send + the INTERMEDIATE_EXCHANGE_SUPPORTED notification); + + then the responder MAY choose not to send an actual list of the + supported authentication methods in the IKE_SA_INIT exchange and + instead ask the initiator to start the IKE_INTERMEDIATE exchange for + the list to be sent in. This would allow using IKE fragmentation + [RFC7383] for long messages (which cannot be used in the IKE_SA_INIT + exchange), thus avoiding IP fragmentation. In this case, the + responder includes a SUPPORTED_AUTH_METHODS notification containing + no data in the IKE_SA_INIT response. + + If the initiator receives the empty SUPPORTED_AUTH_METHODS + notification in the IKE_SA_INIT exchange, it means that the responder + is going to send the list of the supported authentication methods in + the IKE_INTERMEDIATE exchange. If this exchange is to be initiated + anyway for some other reason, then the responder MAY use it to send + the SUPPORTED_AUTH_METHODS notification. Otherwise, the initiator + MAY start the IKE_INTERMEDIATE exchange for this sole purpose by + sending an empty IKE_INTERMEDIATE request. The initiator MAY also + indicate its identity (and possibly the perceived responder's + identity too) by including the IDi payload (possibly along with the + IDr payload) in the IKE_INTERMEDIATE request. This information could + help the responder to send back only those authentication methods + that are configured to be used for authentication of this particular + initiator. If these payloads are sent, they MUST be identical to the + IDi/IDr payloads sent later in the IKE_AUTH request. + + If the responder has sent any CERTREQ payload in the IKE_SA_INIT, + then it SHOULD resend the same payload(s) in the IKE_INTERMEDIATE + response containing the SUPPORTED_AUTH_METHODS notification if any of + the included Announcements has a non-zero Cert Link field (see + Sections 3.2.2 and 3.2.3). This requirement allows peers to have a + list of Announcements and a list of CAs in the same message, which + simplifies their linking. Note that this requirement is always + fulfilled for the IKE_SA_INIT and IKE_AUTH exchanges. However, if + for any reason the responder doesn't resend CERTREQ payload(s) in the + IKE_INTERMEDIATE exchange, then the initiator MUST NOT abort + negotiation. Instead, the initiator MAY either link the + Announcements to the CAs received in the IKE_SA_INIT response, or it + MAY ignore the Announcements containing links to CAs. + + If multiple IKE_INTERMEDIATE exchanges take place during IKE SA + establishments, it is RECOMMENDED that the responder use the last + IKE_INTERMEDIATE exchange (the one just before IKE_AUTH) to send the + list of supported authentication methods. However, it is not always + possible for the responder to know how many IKE_INTERMEDIATE + exchanges the initiator will use. In this case the responder MAY + send the list in any IKE_INTERMEDIATE exchange. If the initiator + sends IDi/IDr in an IKE_INTERMEDIATE request, then it is RECOMMENDED + that the responder sends back the list of authentication methods in + the response. + + Initiator Responder + ----------- ----------- + HDR, SAi1, KEi, Ni --> + <-- HDR, SAr1, KEr, Nr, [CERTREQ,] + [N(SUPPORTED_AUTH_METHODS)()] + + HDR, SK {..., [IDi, [IDr,]]} --> + <-- HDR, SK {..., [CERTREQ,] + [N(SUPPORTED_AUTH_METHODS)(...)] } + + HDR, SK {IDi, [CERT,] [CERTREQ,] + [IDr,] AUTH, SAi2, TSi, TSr, + [N(SUPPORTED_AUTH_METHODS)(...)] } --> + <-- HDR, SK {IDr, [CERT,] + AUTH, SAr2, TSi, TSr } + + Figure 3: Using the IKE_INTERMEDIATE Exchange for Sending + Authentication Methods + + Note that sending the SUPPORTED_AUTH_METHODS notification and using + information obtained from it are optional for both the initiator and + the responder. If multiple SUPPORTED_AUTH_METHODS notifications are + included in a message, all their announcements form a single ordered + list, unless overridden by other extension (see Section 4). + +3.2. SUPPORTED_AUTH_METHODS Notify Message Type + + The format of the SUPPORTED_AUTH_METHODS Notify payload is shown + below. + + 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Next Payload |C| RESERVED | Payload Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Protocol ID | SPI Size | Notify Message Type | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + ~ List of Supported Auth Methods Announcements ~ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 4: SUPPORTED_AUTH_METHODS Notify Payload Format + + The Notify payload format is defined in Section 3.10 of [RFC7296]. + When a Notify payload of type SUPPORTED_AUTH_METHODS is sent, the + Protocol ID field is set to 0, the SPI Size is set to 0 (meaning + there is no SPI field), and the Notify Message Type is set to 16443. + + Notification data contains the list of supported authentication + methods announcements. Each individual announcement is a variable- + size data blob whose format depends on the announced authentication + method. The blob always starts with an octet containing the length + of the blob followed by an octet containing the authentication + method. Authentication methods are represented as values from the + "IKEv2 Authentication Method" registry defined in [IKEV2-IANA]. The + meaning of the remaining octets of the blob, if any, depends on the + authentication method. Note that, for the currently defined + authentication methods, the length octet fully defines both the + format and the semantics of the blob. + + If more authentication methods are defined in the future, the + corresponding documents must describe the semantics of the + announcements for these methods. Implementations MUST ignore + announcements whose semantics they don't understand. + +3.2.1. 2-Octet Announcement + + If the announcement contains an authentication method that is not + concerned with public key cryptography, then the following format is + used. + + 1 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Length (=2) | Auth Method | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 5: 2-Octet Announcement Format + + Length: Length of the blob in octets; must be 2 for this case. + + Auth Method: Announced authentication method. + + This format is applicable for the authentication methods "Shared Key + Message Integrity Code" (2) and "NULL Authentication" (13). Note + that the authentication method "Generic Secure Password + Authentication Method" (12) would also fall in this category; + however, it is negotiated separately (see [RFC6467]), and for this + reason there is no point to announce it via this mechanism. See also + Section 4. + +3.2.2. 3-Octet Announcement + + If the announcement contains an authentication method that is + concerned with public key cryptography, then the following format is + used. This format allows linking the announcement with a particular + trust anchor from the Certificate Request payload. + + 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Length (=3) | Auth Method | Cert Link | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 6: 3-Octet Announcement Format + + Length: Length of the blob in octets; must be 3 for this case. + + Auth Method: Announced authentication method. + + Cert Link: Links this announcement with a particular CA. + + If the Cert Link field contains a non-zero value N, it means that the + announced authentication method is intended to be used only with the + N-th trust anchor (CA certificate) from the Certificate Request + payload(s) sent by this peer. If it is zero, then this + authentication method may be used with any CA. If multiple CERTREQ + payloads were sent, the CAs from all of them are treated as a single + list for the purpose of the linking. If no Certificate Request + payload were received, the content of this field MUST be ignored and + treated as zero. + + This format is applicable for the authentication methods "RSA Digital + Signature" (1), "DSS Digital Signature" (3), "ECDSA with SHA-256 on + the P-256 curve" (9), "ECDSA with SHA-384 on the P-384 curve" (10) + and "ECDSA with SHA-512 on the P-521 curve" (11). Note, however, + that these authentication methods are currently superseded by the + "Digital Signature" (14) authentication method, which has a different + announcement format, described below. + +3.2.3. Multi-octet Announcement + + The following format is currently used only with the "Digital + Signature" (14) authentication method. + + 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Length (>3) | Auth Method | Cert Link | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + | | + ~ AlgorithmIdentifier ~ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 7: Multi-octet Announcement Format + + Length: Length of the blob in octets; must be greater than 3 for + this case. + + Auth Method: Announced authentication method. At the time of + writing this document, only value 14 ("Digital Signature") is + allowed. + + Cert Link: Links this announcement with a particular CA; see + Section 3.2.2 for details. + + AlgorithmIdentifier: The variable-length ASN.1 object that is + encoded using Distinguished Encoding Rules (DER) [X.690] and + identifies the signature algorithm (see Section 4.1.1.2 of + [RFC5280]). + + The "Digital Signature" authentication method, defined in [RFC7427], + supersedes previously defined signature authentication methods. In + this case, the real authentication algorithm is identified via + AlgorithmIdentifier ASN.1 object. Appendix A of [RFC7427] contains + examples of commonly used ASN.1 objects. + +4. Interaction with IKEv2 Extensions concerning Authentication + + Generally in IKEv2 each party independently determines the way it + authenticates itself to the peer. In other words, authentication + methods selected by the peers need not be the same. However, some + IKEv2 extensions break this rule. + + The prominent example is "Secure Password Framework for Internet Key + Exchange Version 2" [RFC6467], which defines a framework for using + secure password authentication in IKEv2. With this framework, peers + negotiate using one of the secure password methods in the IKE_SA_INIT + exchange -- the initiator sends a list of supported methods in the + request, and the responder picks one of them and sends it back in the + response. + + If peers negotiate secure password authentication, then the selected + method is used by both initiator and responder, and no other + authentication methods are involved. For this reason, there is no + point to announce supported authentication methods in this case. + Thus, if the peers choose to go with secure password authentication, + they MUST NOT send the SUPPORTED_AUTH_METHODS notification. + + In the situation when peers are going to use Multiple Authentication + Exchanges [RFC4739], they MAY include multiple SUPPORTED_AUTH_METHODS + notifications (instead of one), each containing authentication + methods appropriate for each authentication round. The notifications + are included in the order of the preference of performing + authentication rounds. + +5. IANA Considerations + + This document defines a new type in the "IKEv2 Notify Message Status + Types" registry: + + +=======+============================+===========+ + | Value | Notify Message Status Type | Reference | + +=======+============================+===========+ + | 16443 | SUPPORTED_AUTH_METHODS | RFC 9593 | + +-------+----------------------------+-----------+ + + Table 1 + +6. Security Considerations + + Security considerations for the IKEv2 protocol are discussed in + [RFC7296]. Security properties of different authentication methods + vary. Refer to corresponding documents, listed in the "IKEv2 + Authentication Method" registry on [IKEV2-IANA] for discussion of + security properties of each authentication method. + + Announcing authentication methods gives an eavesdropper additional + information about peers' capabilities. If a peer advertises "NULL + Authentication" along with other methods, then an active on-path + attacker can encourage peers to use NULL authentication by removing + all other announcements. Note that this is not a real "downgrade" + attack, since authentication methods in IKEv2 are not negotiated, and + in this case NULL authentication should be allowed by local security + policy. + + Similarly, if an on-path attacker can break some of the announced + authentication methods online, then the attacker can encourage peers + to use one of these weaker methods by removing all other + announcements, and if this succeeds, then perform a person-in-the- + middle attack. + +7. References + +7.1. Normative References + + [IKEV2-IANA] + IANA, "Internet Key Exchange Version 2 (IKEv2) + Parameters", + <https://www.iana.org/assignments/ikev2-parameters/>. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + <https://www.rfc-editor.org/info/rfc2119>. + + [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., + Housley, R., and W. Polk, "Internet X.509 Public Key + Infrastructure Certificate and Certificate Revocation List + (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, + <https://www.rfc-editor.org/info/rfc5280>. + + [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. + Kivinen, "Internet Key Exchange Protocol Version 2 + (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October + 2014, <https://www.rfc-editor.org/info/rfc7296>. + + [RFC7427] Kivinen, T. and J. Snyder, "Signature Authentication in + the Internet Key Exchange Version 2 (IKEv2)", RFC 7427, + DOI 10.17487/RFC7427, January 2015, + <https://www.rfc-editor.org/info/rfc7427>. + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, <https://www.rfc-editor.org/info/rfc8174>. + + [RFC9242] Smyslov, V., "Intermediate Exchange in the Internet Key + Exchange Protocol Version 2 (IKEv2)", RFC 9242, + DOI 10.17487/RFC9242, May 2022, + <https://www.rfc-editor.org/info/rfc9242>. + + [X.690] ITU-T, "Information Technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), Canonical + Encoding Rules (CER) and Distinguished Encoding Rules + (DER)", ISO/IEC 8825-1:2021 (E), ITU-T + Recommendation X.690, February 2021. + +7.2. Informative References + + [COMPOSITE-SIGS] + Ounsworth, M., Gray, J., Pala, M., and J. Klaussner, + "Composite Signatures For Use In Internet PKI", Work in + Progress, Internet-Draft, draft-ietf-lamps-pq-composite- + sigs-01, 24 May 2024, + <https://datatracker.ietf.org/doc/html/draft-ietf-lamps- + pq-composite-sigs-01>. + + [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange + (IKE)", RFC 2409, DOI 10.17487/RFC2409, November 1998, + <https://www.rfc-editor.org/info/rfc2409>. + + [RFC4739] Eronen, P. and J. Korhonen, "Multiple Authentication + Exchanges in the Internet Key Exchange (IKEv2) Protocol", + RFC 4739, DOI 10.17487/RFC4739, November 2006, + <https://www.rfc-editor.org/info/rfc4739>. + + [RFC6467] Kivinen, T., "Secure Password Framework for Internet Key + Exchange Version 2 (IKEv2)", RFC 6467, + DOI 10.17487/RFC6467, December 2011, + <https://www.rfc-editor.org/info/rfc6467>. + + [RFC7383] Smyslov, V., "Internet Key Exchange Protocol Version 2 + (IKEv2) Message Fragmentation", RFC 7383, + DOI 10.17487/RFC7383, November 2014, + <https://www.rfc-editor.org/info/rfc7383>. + +Appendix A. Examples of Announcing Supported Authentication Methods + + This appendix shows some examples of announcing authentication + methods. This appendix is purely informative; if it disagrees with + the body of this document, the other text is considered correct. + Note that some payloads that are not relevant to this specification + may be omitted for brevity. + +A.1. No Need to Use the IKE_INTERMEDIATE Exchange + + This example illustrates the situation when the + SUPPORTED_AUTH_METHODS Notify payload fits into the IKE_SA_INIT + message, and thus the IKE_INTERMEDIATE exchange is not needed. In + this scenario, the responder announces that it supports the "Shared + Key Message Integrity Code" and the "NULL Authentication" + authentication methods. The initiator informs the responder that it + supports only the "Shared Key Message Integrity Code" authentication + method. + + Initiator Responder + ----------- ----------- + IKE_SA_INIT + HDR, SAi1, KEi, Ni --> + <-- HDR, SAr1, KEr, Nr, + N(SUPPORTED_AUTH_METHODS( + PSK, NULL)) + + IKE_AUTH + HDR, SK {IDi, + AUTH, SAi2, TSi, TSr, + N(SUPPORTED_AUTH_METHODS(PSK))} --> + <-- HDR, SK {IDr, + AUTH, SAr2, TSi, TSr} + +A.2. With Use of the IKE_INTERMEDIATE Exchange + + This example illustrates the situation when the IKE_INTERMEDIATE + exchange is used. In this scenario, the responder announces that it + supports the "Digital signature" authentication method using the + RSASSA-PSS algorithm with CA1 and CA2 and the same method using the + ECDSA algorithm with CA3. The initiator supports only the "Digital + signature" authentication method using the RSASSA-PSS algorithm with + no link to a particular CA. + + Initiator Responder + ----------- ----------- + IKE_SA_INIT + HDR, SAi1, KEi, Ni, + N(SIGNATURE_HASH_ALGORITHMS) --> + <-- HDR, SAr1, KEr, Nr, + CERTREQ(CA1, CA2, CA3), + N(SIGNATURE_HASH_ALGORITHMS), + N(SUPPORTED_AUTH_METHODS()) + + IKE_INTERMEDIATE + HDR, SK {..., IDi]} --> + <-- HDR, SK {..., + CERTREQ(CA1, CA2, CA3), + N(SUPPORTED_AUTH_METHODS( + SIGNATURE(RSASSA-PSS:1), + SIGNATURE(RSASSA-PSS:2), + SIGNATURE(ECDSA:3)))} + + IKE_AUTH + HDR, SK {IDi, CERT, CERTREQ(CA2), + AUTH, SAi2, TSi, TSr, + N(SUPPORTED_AUTH_METHODS( + SIGNATURE(RSASSA-PSS:0)))} --> + <-- HDR, SK {IDr, CERT, + AUTH, SAr2, TSi, TSr} + +Acknowledgments + + The author would like to thank Paul Wouters for his valuable comments + and proposals. The author is also grateful to Daniel Van Geest, who + made proposals for protocol improvement. Reese Enghardt and Rifaat + Shekh-Yusef contributed to the clarity of the document. + +Author's Address + + Valery Smyslov + ELVIS-PLUS + PO Box 81 + Moscow (Zelenograd) + 124460 + Russian Federation + Phone: +7 495 276 0211 + Email: svan@elvis.ru |