11.1 Signing procedure

The user can set up the following algorithms in the local node and peer node sections of the Diameter Signaling Router to sign or validate the diameter message:
  1. RSA with SHA256
  2. ECDSA-with-SHA256
  3. DSA with SHA256

Perform the following procedure for DESS (Diameter-End-to-End-Security) phase 1:

  1. DSR performs the following steps if DESS is enabled (for signing the message):

    The below image shows the structure of a Signed Diameter Message.

    Figure 11-3 Structure of a Signed Diameter Message


    Structure of a Signed Diameter Message

  2. The message will have a grouped DESS-Signature AVP and add the following sub AVPs:
    1. "DESS-System-Time" AVP with the current time stamp.
    2. "DESS-Signing-Identity" AVP with FQDN identifying the creating node or realm of the digital signature.
    3. "DESS-Digital-Signature-Type" AVP to record the type of digital signature.
    4. Message will consist DESS digital signature.

      Signing is applied individually to each Diameter message, which comprises both requests/answers/errors/ retransmitted messages.