11.1 Signing procedure

The user can set up the following algorithms in the Local node and Peer node sections of the Diameter Signaling Router (DSR) to sign or validate the Diameter messages:

• RSA with SHA256
• ECDSA-with-SHA256
• DSA with SHA256

Perform the following procedure for DESS (Diameter End-to-End-Security) phase 1:

1. If DESS is enabled, the DSR performs the following steps to sign the message:

   The image below shows the structure of a Signed Diameter Message.

   Figure 11-3 Structure of a Signed Diameter Message

   
   

   

   
   
2. The message includes a grouped DESS-Signature AVP (Attribute Value Pair) with the following sub-AVPs must be added:
   1. "DESS-System-Time": AVP with the current time stamp.
   2. "DESS-Signing-Identity": AVP with FQDN (Fully Qualified Domain Name) identifying the creating node or realm of the digital signature.
   3. "DESS-Digital-Signature-Type": AVP specifying the type of digital signature.
   4. The message includes the DESS digital signature.

      Signing is applied individually to each Diameter message, including requests, answers, errors, and retransmitted messages.