Signature authentication for VPNs using Post Quantum Cryptography
Based on the IETF draft Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) using PQC, post-quantum cryptographic (PQC) digital signature algorithms can be integrated into the IKEv2 protocol using the existing authentication framework as defined in RFC 7427. Moreover, two NIST-standardized algorithms ML-DSA (standardized as FIPS 204) and SLH-DSA (standardized as FIPS 205) are supported.
FortiGate now supports RFC 7427 which modernizes the digital signature framework used for authentication in IKEv2 to be algorithm-agnostic instead of relying on the traditional RSA/ECDSA based algorithms. This enables FortiGates to use both NIST-standardized algorithms ML-DSA and SLH-DSA in its IKEv2 signature authentication exchange. When building site-to-site VPNs, using these algorithms allows certificates containing PQC public keys to be used, providing quantum resistance in case of future attacks.
The following commands have been added:
config vpn ipsec phase1-interface
edit <name>
set authmethod signature
set digital-signature-auth <enable | disable>
set signature-hash-alg {sha1 | sha2-256 | sha2-384 | sha2-512 | identity}
next
end
|
Option |
Description |
|---|---|
|
digital-signature-auth enable |
Enable to utilize RFC 7427 IKEv2 digital signature authentication framework. |
|
signature-hash-alg identity |
Set to identity to value 5 (“identity”) per RFC 8420, which passes the raw IKEv2 AUTH data to the signature algorithm without hashing. |
Example
A financial institution needs to adhere to post-quantum signature compliance by implementing PQC in its IKEv2 VPN’s signature authentication. They must meet either FIPS-204 or FIPS-205 by implementing ML-DSA or SLH-DSA respectively.
They have two sites that are connected by site-to-site VPN:
Prerequisites
This company has generated the following certificates that have been imported into the FortiGate:
|
Certificate |
Details |
|---|---|
|
CA certificate "ml-dsa-ca.crt” |
Signed with ML-DSA (ml-dsa-65) post-quantum digital signature algorithm |
|
FGTA’s digital certificate “fgta-ml-dsa.p12” |
Client certificate signed by the CA using ml-dsa-65 |
|
FGTB’s digital certificate “fgtb-ml-dsa.p12” |
Client certificate signed by the CA using ml-dsa-65 |
|
CA certificate " slh-dsa-ca.crt” |
Signed with SLH-DSA (SLH-DSA-SHA2-128f) post-quantum digital signature algorithm |
|
FGTA’s digital certificate "fgta-slh-dsa.p12" |
Client certificate signed by the CA using SLH-DSA-SHA2-128f |
|
FGTB’s digital certificate "fgtb-slh-dsa.p12" |
Client certificate signed by the CA using SLH-DSA-SHA2-128f |
To configure FGTA in the CLI:
-
Configure the user peer with the CA certificate:
config user peer edit "PKI-PQC-ML" set ca "ml-dsa-ca" next end -
Configure Phase1 with signature authentication, identity hashing algorithm, the client certificate for this FortiGate and the peer user above:
config vpn ipsec phase1-interface edit "to401a-ipsec-ce" set interface "port16" set ike-version 2 set authmethod signature set net-device disable set proposal aes256-sha512 set dhgrp 21 20 set nattraversal disable set digital-signature-auth enable set signature-hash-alg identity set remote-gw 10.1.16.2 set certificate "FGTA-ms-dsa-65" set peer "PKI-PQC-ML" next end -
Configure Phase2 where the local subnet is 192.168.1.0/24 and the remote subnet is 192.168.2.0/24:
config vpn ipsec phase2-interface edit "to401a-ipsec-ce" set phase1name "to401a-ipsec-ce" set proposal aes256-sha512 set dhgrp 21 20 set src-addr-type name set dst-addr-type name set src-name "to401a-ipsec-ce_local" set dst-name "to401a-ipsec-ce_remote" next end -
Configure the firewall policies:
config firewall policy edit 16 set name "vpn_to401a-ipsec-ce_local" set srcintf “port2" set dstintf "to401a-ipsec-ce" set action accept set srcaddr "to401a-ipsec-ce_local" set dstaddr "to401a-ipsec-ce_remote" set schedule "always" set service "ALL" next edit 17 set name "vpn_to401a-ipsec-ce_remote" set uuid 5a5561ca-21ba-51f1-405e-04024f84bcf1 set srcintf "to401a-ipsec-ce" set dstintf "port2" set action accept set srcaddr "to401a-ipsec-ce_remote" set dstaddr "to401a-ipsec-ce_local" set schedule "always" set service "ALL" next end
To configure FGTB in the CLI:
-
Configure the user peer with the CA certificate:
config user peer edit "PKI-PQC-ML" set ca "ml-dsa-ca" next end -
Configure Phase1 with signature authentication, identity hashing algorithm, the client certificate for this FortiGate and the peer user above:
config vpn ipsec phase1-interface edit "to401a-ipsec-ce" set interface "port16" set ike-version 2 set authmethod signature set net-device disable set proposal aes256-sha512 set dhgrp 21 20 set nattraversal disable set digital-signature-auth enable set signature-hash-alg identity set remote-gw 10.1.16.1 set certificate "FGTB-ms-dsa-65" set peer "PKI-PQC-ML" next end -
Configure Phase2 where the local subnet is 192.168.2.0/24 and the remote subnet is 192.168.1.0/24:
config vpn ipsec phase2-interface edit "to401a-ipsec-ce" set phase1name "to401a-ipsec-ce" set proposal aes256-sha512 set dhgrp 21 20 set src-addr-type name set dst-addr-type name set src-name "to401a-ipsec-ce_local" set dst-name "to401a-ipsec-ce_remote" next end -
Configure the firewall policies:
config firewall policy edit 16 set name "vpn_to401a-ipsec-ce_local" set srcintf “port2" set dstintf "to401a-ipsec-ce" set action accept set srcaddr "to401a-ipsec-ce_local" set dstaddr "to401a-ipsec-ce_remote" set schedule "always" set service "ALL" next edit 17 set name "vpn_to401a-ipsec-ce_remote" set uuid 5a5561ca-21ba-51f1-405e-04024f84bcf1 set srcintf "to401a-ipsec-ce" set dstintf "port2" set action accept set srcaddr "to401a-ipsec-ce_remote" set dstaddr "to401a-ipsec-ce_local" set schedule "always" set service "ALL" next end
Verification
After the tunnel is being brought up, enable realtime IKE debugs to confirm certificate validation succeeded.
The following debugs are taken from FGTA as the VPN responder:
FGTA # diagnose debug application ike -1 Debug messages will be on for unlimited time. # diagnose debug enable ike V=root:0:to401a-ipsec-ce:1056: reassembled fragmented message ike V=root:0:to401a-ipsec-ce:1056: responder received AUTH msg ike V=root:0:to401a-ipsec-ce:1056: processing notify type INITIAL_CONTACT ike V=root:0:to401a-ipsec-ce:1056: processing notify type MESSAGE_ID_SYNC_SUPPORTED ike V=root:0:to401a-ipsec-ce:1056: received peer identifier DER_ASN1_DN 'C = CA, ST = BC, L = BN, O = FNT, OU = QA, CN = FGTB, emailAddress = www@fortinet.com' ike V=root:0:to401a-ipsec-ce:1056: eap-peer=no ike V=root:0:to401a-ipsec-ce:1056: received peer certreq '7A5B4605CC584516BB5EEB982E7331A67ECE9007' ike V=root:0:to401a-ipsec-ce:1056: Validating X.509 certificate ike V=root:0:to401a-ipsec-ce:1056: peer cert, subject='FGTB', issuer='PQC_Root_CA' ike V=root:0:to401a-ipsec-ce:1056: peer CA cert, subject='PQC_Root_CA', issuer='PQC_Root_CA' ike V=root:0:to401a-ipsec-ce:1056: peer ID verified ike V=root:0:to401a-ipsec-ce:1056: building fnbam peer candidate list ike V=root:0:to401a-ipsec-ce:1056: FNBAM_GROUP_NAME candidate 'PKI-PQC-ml' ike V=root:0:to401a-ipsec-ce:1056: certificate validation pending ike V=root:0:to401a-ipsec-ce:1056: certificate validation succeeded ike V=root:0:to401a-ipsec-ce:1056: signature verification succeeded using ML-DSA-65, oid=2.16.840.1.101.3.4.3.18 ike V=root:0:to401a-ipsec-ce:1056: auth verify done ike V=root:0:to401a-ipsec-ce:1056: responder AUTH continuation ike V=root:0:to401a-ipsec-ce:1056: authentication succeeded ike V=root:0:to401a-ipsec-ce:1056: responder creating new child ike V=root:0:to401a-ipsec-ce:1056:957: peer proposal: ike V=root:0:to401a-ipsec-ce:1056:957: TSi_0 0:192.168.2.0-192.168.2.255:0 ike V=root:0:to401a-ipsec-ce:1056:957: TSr_0 0:192.168.1.0-192.168.1.255:0
View the tunnel either from the command palette (CTRL+P) > CLI diagnostic, or run the command diagnose vpn ike gateway list from the CLI:
# diagnose vpn ike gateway list vd: root/0 name: to401a-ipsec-ce version: 2 interface: port16 22 addr: 10.1.16.1:500 -> 10.1.16.2:500 tun_id: 10.1.16.2/::10.1.16.2 remote_location: 0.0.0.0 network-id: 0 transport: UDP created: 2818s ago peer-id: C = CA, ST = BC, L = BN, O = FNT, OU = QA, CN = FGTB, emailAddress = www@fortinet.com peer-id-auth: yes pending-queue: 0 PPK: no IKE SA: created 1/2 established 0/1 time 50/50/50 ms IPsec SA: created 1/2 established 1/1 time 0/0/0 ms id/spi: 1024 d1229a3d75fcbe87/ce44896882753680 direction: responder status: established 2818-2818s ago = 50ms proposal: aes256-sha512 child: no SK_ei: e54a5d169729d3a8-f50e7f5f5540237d-724e30630c3ecaa9-403156d1164476fa SK_er: 373b97f05bb891b4-b96c177b5d1b95ce-2d28b1280232216f-a3424ee3170cf91c SK_ai: 66bbe963e3d4dd87-65ed2b5c162ccd26-0cf87d1f61d45054-cbbd659b345ddd18-2e0f91d818cd8d18-259a67871c6e9d75-160cbd15e69d632e-bb3aa2a4d0ee0916 SK_ar: 3486c80d312af4e3-1c2f1d4cae340d00-37f7a1c31a8712d1-4fe5b23e5ef24d7e-0886a254d52a2a23-f6dfc3d41b6e099c-16f36f9fb8852fce-d86d5b1e0124fe8d PPK: no message-id sent/recv: 0/2 QKD: no PQC-KEM (IKE): no PQC-KEM (all IPsec): no lifetime/rekey: 86400/83311 DPD sent/recv: 00000000/00000000 peer-id: C = CA, ST = BC, L = BN, O = FNT, OU = QA, CN = FGTB, emailAddress = www@fortinet.com
From FGTA, send some pings across the tunnel:
FGTA # execute ping 192.168.2.1 PING 192.168.2.1 (192.168.2.1): 56 data bytes 64 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=0.3 ms 64 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=0.1 ms .... --- 192.168.2.1 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.1/0.3 ms
Alternatively, switch the tunnel to use SLH-DSA certificates. When the tunnel connects, enable real-time debugs to show that SLH-DSA-SHA2-128f post-quantum digital certificate verification is successful.
FGTA # diagnose debug application ike -1 Debug messages will be on for unlimited time. FGTA # diagnose debug enable ike V=root:0:to401a-ipsec-ce:1083: reassembled fragmented message ike V=root:0:to401a-ipsec-ce:1083: initiator received AUTH msg ike V=root:0:to401a-ipsec-ce:1083: received peer identifier DER_ASN1_DN 'C = CA, ST = BC, L = BN, O = FNT, OU = QA, CN = FGTB, emailAddress = www@fortinet.com' ike V=root:0:to401a-ipsec-ce:1083: Validating X.509 certificate ike V=root:0:to401a-ipsec-ce:1083: peer cert, subject='FGTB', issuer='SLH-DSA Root CA' ike V=root:0:to401a-ipsec-ce:1083: peer CA cert, subject='SLH-DSA Root CA', issuer='SLH-DSA Root CA' ike V=root:0:to401a-ipsec-ce:1083: peer ID verified ike V=root:0:to401a-ipsec-ce:1083: building fnbam peer candidate list ike V=root:0:to401a-ipsec-ce:1083: FNBAM_GROUP_NAME candidate 'PKI-PQC-sh' ike V=root:0:to401a-ipsec-ce:1083: certificate validation pending ike V=root:0:to401a-ipsec-ce:1083: certificate validation succeeded ike V=root:0:to401a-ipsec-ce:1083: signature verification succeeded using SLH-DSA-SHA2-128f, oid=2.16.840.1.101.3.4.3.21 ike V=root:0:to401a-ipsec-ce:1083: auth verify done ike V=root:0:to401a-ipsec-ce:1083: initiator AUTH continuation ike V=root:0:to401a-ipsec-ce:1083: authentication succeeded ike V=root:0:to401a-ipsec-ce:1083: processing notify type MESSAGE_ID_SYNC_SUPPORTED ike V=root:0:to401a-ipsec-ce:1083: established IKE SA 177874f660215a41/8ba20ada8ef20510 ike V=root:0:to401a-ipsec-ce:1083: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0 ike V=root:0:to401a-ipsec-ce: set oper up ike V=root:0:to401a-ipsec-ce: schedule auto-negotiate ike V=root:0:to401a-ipsec-ce:1083:974: peer proposal: ike V=root:0:to401a-ipsec-ce:1083:974: TSr_0 0:192.168.2.0-192.168.2.255:0 ike V=root:0:to401a-ipsec-ce:1083:974: TSi_0 0:192.168.1.0-192.168.1.255:0