Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures

Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 27 May 2021 01:51 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E2523A09B5 for <cfrg@ietfa.amsl.com>; Wed, 26 May 2021 18:51:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a2SmgAG6vHYs for <cfrg@ietfa.amsl.com>; Wed, 26 May 2021 18:51:36 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5189B3A099F for <cfrg@irtf.org>; Wed, 26 May 2021 18:51:35 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2233.outbound.protection.outlook.com [104.47.71.233]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-52-_DC4ex4cNoG6l1QJhy3vfA-1; Thu, 27 May 2021 11:51:31 +1000
X-MC-Unique: _DC4ex4cNoG6l1QJhy3vfA-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SYBPR01MB5485.ausprd01.prod.outlook.com (2603:10c6:10:e2::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20; Thu, 27 May 2021 01:51:29 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9965:92dd:f5b:87a7]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9965:92dd:f5b:87a7%6]) with mapi id 15.20.4173.021; Thu, 27 May 2021 01:51:29 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Justin Richer <jricher@mit.edu>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] RSA PSS Salt Length for HTTP Message Signatures
Thread-Index: AQHXUnA7SV7QXijvqUOIIFhol5Iw0Kr2kFAa
Date: Thu, 27 May 2021 01:51:29 +0000
Message-ID: <SY4PR01MB625156A4BB2BB82608F8CF56EE239@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <1EED8807-C5C5-461F-BE60-34C44791849E@mit.edu>
In-Reply-To: <1EED8807-C5C5-461F-BE60-34C44791849E@mit.edu>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [101.100.138.250]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9d465a3a-2108-420d-844b-08d920b1f26f
x-ms-traffictypediagnostic: SYBPR01MB5485:
x-microsoft-antispam-prvs: <SYBPR01MB5485553A7D7C4DD01ECEC89EEE239@SYBPR01MB5485.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: Slb6jlWxrv0fSgU3wtO1StGd+LN17cdl+J7/9fr1h/XAKYm+LLUSEKLCUpzrMC5NB6+7SkDO/f634X8Hq3hhAzB8547robOk8CzTQ/DjDe8RROF45NNhR3wpv6NlfrV8LL28oyR4Tf93H+eeo+GLPOw1arDmejFo9ksYP1DKDMYS8Z6F6ShpjZAw/tR6eOIn6B2lQwYt5h2Munh9STKbENBB/dAzok3OFC0Y4CbeEhG3ZolP0vJ89dXKmjg5spq3188YbpfapkFVVXzyKBhabu6Vif76DmJRDYWGbLBw+bcOJvyZC1WdS8N7Xe93gT2ccElzXu9o+t6Pk1/aANlgm5Ql12hMyAtj0MccWXUy1ly/5OaA3azfrKBt8ilApSnG/z9SfOzYsuMMZ0iZiropGJjcUKfbhpLz+DtgTPQLW3xXthXyVaKfZrGF179uSG3rIw8lkjlUCpE3xiaTDSnvzDI9JZi10A5n1VCeqGI78tgQ11OYJ6NipKke2JRq0WUNtzH7FgOB9I2L47WLj1F1D4cHbxWpD3gRSqQvDJCP5daXA7kfxW8A1/YBzA/bkQcPelwe9wJv1LI3xsxm+9N7qO580wWTNlFanZfvYGey/0c=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(396003)(39860400002)(376002)(136003)(366004)(478600001)(7696005)(110136005)(316002)(786003)(8936002)(64756008)(86362001)(66556008)(52536014)(66476007)(66946007)(5660300002)(6506007)(9686003)(26005)(66446008)(76116006)(55016002)(71200400001)(2906002)(122000001)(38100700002)(33656002)(186003)(8676002); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata: =?Windows-1252?Q?oNPq2y+ZW02iK5ufZXP/+tNoZfzbnfoHZZcpEqzrBdxJpWnMke/c0rQn?= =?Windows-1252?Q?EeSQohiewI+yImJPYJpAOrWZOM7v4QIBmOXxie2Sbltzg+nYt+rM9aiU?= =?Windows-1252?Q?otyMJsEGMWUyuNyz3e3TFG85JvJ6Ob8C2z56gtNLuCM/wVk+oG4mpdn/?= =?Windows-1252?Q?q2ybIMr7LHeR50Muk6dkzRx6l1gmuG5k/wOmJBlxtJZ2CK07E6nL3oln?= =?Windows-1252?Q?tAqVgZAWpsMUWk4q2mrL7ARfVFtSVBjo3QOmXRnJnhhhWAdAtY7BHgsa?= =?Windows-1252?Q?rNgFrTq+RSanIbfgTwuejUg8b/+KCcmth62snIyTrjQSHZXty/BLt6/N?= =?Windows-1252?Q?sNWvoj5t7K1YTpIDLNM2589Q4c9aRwVKtAIvhwzsUlZDavHHqUeLSTQ6?= =?Windows-1252?Q?pRwNReJe3y6LXHRAhBkNI/W9iRcppl1+1FFHhkz7/aA3qJ99pop9ACqL?= =?Windows-1252?Q?mchHaXbjLbaRrmf2PbbU9IDuJirMG52y9Fi3tGvxyAvnzoXCHBlflq/Q?= =?Windows-1252?Q?otGN9juQghvVFwfncluHX0ZZijSiqARHnR9TsYR3xadPFGW+fAg+AQE3?= =?Windows-1252?Q?0eFo3mqE5C9cSTsASMsnBRno1ixmWWvAzlXjt5ta+qFyce9/dPDC7pte?= =?Windows-1252?Q?CT7PZSz9lCGZ66rIdfOs4LaXhdmFKm0fkgY74uDUhJbXigwb9WA8aMlH?= =?Windows-1252?Q?GTdoeeuvVtfeld1mwQlNfFbIDag1UPQr9zgMLkx0Y65GWg0mK+9ahnjs?= =?Windows-1252?Q?IMWVokQz9Epp9X3z6g9UhJgOOL8jtNUIA0R2zDXaErGHsFhCEFlr8YqR?= =?Windows-1252?Q?jqTg960B2SAORuJ9cBi+cyKOb/MyrVLgnBlCzYU8Buvv3v655CV0cQOW?= =?Windows-1252?Q?YFkmKkQByLcFpAquXByaUToAnqvmImKzjSDrjjqrQ6fY4loI/Q+2QCcH?= =?Windows-1252?Q?hW5gJxU79W6o8DoA56iqirhOnw50ouZnM/eTpAKdTRyk5k79yCS5dXNc?= =?Windows-1252?Q?e0H2ZmJcBoDDp74YO6P2M0SXPjTRUX4nLc5L4jbOnVpgHrNK9TWmWD/W?= =?Windows-1252?Q?Y9opFmVGFnCAYB762/9J41p3asLWpCGmFFVPPNHcbhcAUxhhJZ18q1Xl?= =?Windows-1252?Q?X+qFjjq6ocuUn96+yXXFECDysfemG8JUMonkdZL+mWZ0br746jv/6IUA?= =?Windows-1252?Q?Rk2f5KtI4i4AjJgLwQgti+0Nc+WgQCwJ7VgjdnKMQef1QdyYdnHsCpAF?= =?Windows-1252?Q?Y7QXAxx1MdZefms83BR4sHinjUAWlFTfEnEpyWkl7FKQ/HhUdrfpaGlG?= =?Windows-1252?Q?iuQuoyO2+sLXEYRto2RMzlwyh2fQcLfZjL/i0jzRzom7Cp0t23PamceT?= =?Windows-1252?Q?uPYwl/YQrKto3asMTz4Ai4c40qkgWFgLzEacMvFaLaZjTS3q/jV2Rq0s?=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9d465a3a-2108-420d-844b-08d920b1f26f
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 May 2021 01:51:29.4009 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: u+w92jRGKCnxvvZtDIFzDmBTGYWDlrAlj0DCq66JlOiXr4jimL3dBLtDabJuh4Fu2WLd1xSdiXEL529CWd0wCw2Rzq+XNq9VJHyBhMMLMkk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBPR01MB5485
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/5pgz4AJ25H17nlWlFS-_ltDnsjs>
Subject: Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2021 01:51:40 -0000

Justin Richer <jricher@mit.edu> writes:

>I had been using one library that defaults this to 20, another library
>defaults it to (I think?) 32, and another library seems to vary it based on
>the SHA hash size. Is there a best practice here, or a way to determine what
>the correct salt length is? I couldn’t find anything in RFC8017 that suggests
>an appropriate value, so if I’m just missing it please point me to it.

In theory the spec suggests using the hash size, but as you've found in
practice everyone seems to do whatever they feel like, and it's not just for
the salt size, since PSS leaves almost everything as a user-choice parameter
you'll find all sorts of weird unexpected stuff there, with endless weird
corner cases that you'd think no-one would ever implement until you find
something that does.  One thing to look out for is the leading-bits-trimming
that's required but very well disguised in the spec, since some
implementations do it and some don't.

A more general comment is that it'd make more sense to specify PKCS #1 with
encode-then-memcmp() rather than forcing people to guess how other
implementations of PSS work, it's just a huge implementation headache that'll
be repeated for everyone who has to do it.

Peter.