In RFC 2409, IKE authentication by digital signature we see the following:
`Initiator Responder
----------- -----------
HDR, SA -->
<-- HDR, SA
HDR, KE, Ni -->
<-- HDR, KE, Nr
HDR*, IDii, [ CERT, ] SIG_I -->
<-- HDR*, IDir, [ CERT, ] SIG_R
`
also, we see it's mentioned:
-In both modes, the signed data, SIG_I or SIG_R, is the result of the
negotiated digital signature algorithm applied to HASH_I or HASH_R
respectively.
-In general the signature will be over HASH_I and HASH_R as above
using the negotiated prf, or the HMAC version of the negotiated hash
function (if no prf is negotiated).
what does the above means? , how SIG_I and SIG_R are get calculated and verified?
I understand that the HASH_I and HASH_R are calculated like the following:
HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b ) HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )
and the SKEYID is different depends on the authentication method in use, and for digital signatures it's like the following:
For signatures: SKEYID = prf(Ni_b | Nr_b, g^xy)
now, I would like to understand what does it mean by "SIG_I or SIG_R, is the result of the
negotiated digital signature algorithm applied to HASH_I or HASH_R
respectively." ? does this mean SIG_I = prf (HASH_I)?