Digital signatures
Along with pre-shared key, RSA digital signatures are the most common means of IKE authentication.
An RSA digital signature is based on a cryptographic key that has two parts: a public part and a private part. One part (the public key) is widely shared, and may even be publicly distributed. The other part (the private key) remains secret. These keys are mathematically related but are independent, so that neither key is derivable from the other.
The key is used as input to a hash function; together, the key and the hash function form a signing function that, when applied to a document, creates a digital signature.
An RSA key can be used either to encrypt or authenticate, and this is based on two facts:
- Data encrypted with the agent's public key can only be decrypted by the agent, using the private key. This means that any peer can send information securely by encrypting it with the public key and forwarding it to the agent.
- Data processed with a hash function can be encrypted with the signer's private key—such data is said to be digitally signed. Since anyone with the public key can verify the digital signature, this communication can be accepted as authentically coming from the agent.
The algorithms that encrypt using RSA keys are very secure but extremely slow—so slow that it would be impracticable to encrypt an entire set of data using them. Instead, the agent produces a digital signature for the data, as follows: