IKEv1 Phase 1, authentication with signature, sending certificates "optionally"

hadz

6/22/23, 1:15 PM

At RFC2409, section 5.1, authentication header is like:

HDR*, IDii, [ CERT, ] SIG_I

HDR is an ISAKMP header whose exchange type is the mode. When writen as HDR* it indicates payload encryption.

IDii is ID of initiator

[CERT] means that sending certificate is optional

SIG_I is signature of initiator.

Why sending certificate payload is optional? How just sending signature is enough for authentication?

0 + 0

authentication

signature

certificates

ipsec

Score:1

Crypto

poncho

6/22/23, 1:37 PM

Why sending certificate payload is optional? How just sending signature is enough for authentication?

I believe that the intent was to support cases where you don't have a PKI, and hence don't have certificates. In those situations, you would configure the public key of the peer on each device; in that specific case, the signature was sufficient (because the authentic public key was already known).

0 + 0

Score:1

Crypto

Marc Ilunga

6/23/23, 10:34 AM

Many Authenticated Key Exchange frameworks (AKE) allow the communication partner's certificate / long-term public key to be known in advance. This is used, for example, in Lightweight AKEs to keep the bandwidth requirement as low as possible. For another example where certificates are not sent: https://datatracker.ietf.org/wg/lake/about/.

0 + 0

poncho

6/23/23, 5:49 PM

Looking back at the concerns they had in 1998, they weren't concerned that much with bandwidth - the complexity of PKI (which was even worse then than it is now; they didn't have today's tooling) was what concerned them...

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: IKEv1 Phase 1, authentication with signature, sending certificates "optionally"

TH: IKEv1 Phase 1, การพิสูจน์ตัวตนด้วยลายเซ็น, การส่งใบรับรอง "ทางเลือก"

RO: IKEv1 Faza 1, autentificare cu semnătură, trimitere certificate „opțional”

RU: IKEv1 Phase 1, аутентификация с подписью, отправка сертификатов «опционально»

VI: IKEv1 Giai đoạn 1, xác thực bằng chữ ký, gửi chứng chỉ "tùy chọn"

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.