Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures
Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 27 May 2021 01:51 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E2523A09B5 for <cfrg@ietfa.amsl.com>; Wed, 26 May 2021 18:51:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a2SmgAG6vHYs for <cfrg@ietfa.amsl.com>; Wed, 26 May 2021 18:51:36 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5189B3A099F for <cfrg@irtf.org>; Wed, 26 May 2021 18:51:35 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2233.outbound.protection.outlook.com [104.47.71.233]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-52-_DC4ex4cNoG6l1QJhy3vfA-1; Thu, 27 May 2021 11:51:31 +1000
X-MC-Unique: _DC4ex4cNoG6l1QJhy3vfA-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SYBPR01MB5485.ausprd01.prod.outlook.com (2603:10c6:10:e2::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20; Thu, 27 May 2021 01:51:29 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9965:92dd:f5b:87a7]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9965:92dd:f5b:87a7%6]) with mapi id 15.20.4173.021; Thu, 27 May 2021 01:51:29 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Justin Richer <jricher@mit.edu>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] RSA PSS Salt Length for HTTP Message Signatures
Thread-Index: AQHXUnA7SV7QXijvqUOIIFhol5Iw0Kr2kFAa
Date: Thu, 27 May 2021 01:51:29 +0000
Message-ID: <SY4PR01MB625156A4BB2BB82608F8CF56EE239@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <1EED8807-C5C5-461F-BE60-34C44791849E@mit.edu>
In-Reply-To: <1EED8807-C5C5-461F-BE60-34C44791849E@mit.edu>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [101.100.138.250]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9d465a3a-2108-420d-844b-08d920b1f26f
x-ms-traffictypediagnostic: SYBPR01MB5485:
x-microsoft-antispam-prvs: <SYBPR01MB5485553A7D7C4DD01ECEC89EEE239@SYBPR01MB5485.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: Slb6jlWxrv0fSgU3wtO1StGd+LN17cdl+J7/9fr1h/XAKYm+LLUSEKLCUpzrMC5NB6+7SkDO/f634X8Hq3hhAzB8547robOk8CzTQ/DjDe8RROF45NNhR3wpv6NlfrV8LL28oyR4Tf93H+eeo+GLPOw1arDmejFo9ksYP1DKDMYS8Z6F6ShpjZAw/tR6eOIn6B2lQwYt5h2Munh9STKbENBB/dAzok3OFC0Y4CbeEhG3ZolP0vJ89dXKmjg5spq3188YbpfapkFVVXzyKBhabu6Vif76DmJRDYWGbLBw+bcOJvyZC1WdS8N7Xe93gT2ccElzXu9o+t6Pk1/aANlgm5Ql12hMyAtj0MccWXUy1ly/5OaA3azfrKBt8ilApSnG/z9SfOzYsuMMZ0iZiropGJjcUKfbhpLz+DtgTPQLW3xXthXyVaKfZrGF179uSG3rIw8lkjlUCpE3xiaTDSnvzDI9JZi10A5n1VCeqGI78tgQ11OYJ6NipKke2JRq0WUNtzH7FgOB9I2L47WLj1F1D4cHbxWpD3gRSqQvDJCP5daXA7kfxW8A1/YBzA/bkQcPelwe9wJv1LI3xsxm+9N7qO580wWTNlFanZfvYGey/0c=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(396003)(39860400002)(376002)(136003)(366004)(478600001)(7696005)(110136005)(316002)(786003)(8936002)(64756008)(86362001)(66556008)(52536014)(66476007)(66946007)(5660300002)(6506007)(9686003)(26005)(66446008)(76116006)(55016002)(71200400001)(2906002)(122000001)(38100700002)(33656002)(186003)(8676002); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata: oNPq2y+ZW02iK5ufZXP/+tNoZfzbnfoHZZcpEqzrBdxJpWnMke/c0rQnEeSQohiewI+yImJPYJpAOrWZOM7v4QIBmOXxie2Sbltzg+nYt+rM9aiUotyMJsEGMWUyuNyz3e3TFG85JvJ6Ob8C2z56gtNLuCM/wVk+oG4mpdn/q2ybIMr7LHeR50Muk6dkzRx6l1gmuG5k/wOmJBlxtJZ2CK07E6nL3olntAqVgZAWpsMUWk4q2mrL7ARfVFtSVBjo3QOmXRnJnhhhWAdAtY7BHgsarNgFrTq+RSanIbfgTwuejUg8b/+KCcmth62snIyTrjQSHZXty/BLt6/NsNWvoj5t7K1YTpIDLNM2589Q4c9aRwVKtAIvhwzsUlZDavHHqUeLSTQ6pRwNReJe3y6LXHRAhBkNI/W9iRcppl1+1FFHhkz7/aA3qJ99pop9ACqLmchHaXbjLbaRrmf2PbbU9IDuJirMG52y9Fi3tGvxyAvnzoXCHBlflq/QotGN9juQghvVFwfncluHX0ZZijSiqARHnR9TsYR3xadPFGW+fAg+AQE30eFo3mqE5C9cSTsASMsnBRno1ixmWWvAzlXjt5ta+qFyce9/dPDC7pteCT7PZSz9lCGZ66rIdfOs4LaXhdmFKm0fkgY74uDUhJbXigwb9WA8aMlHGTdoeeuvVtfeld1mwQlNfFbIDag1UPQr9zgMLkx0Y65GWg0mK+9ahnjsIMWVokQz9Epp9X3z6g9UhJgOOL8jtNUIA0R2zDXaErGHsFhCEFlr8YqRjqTg960B2SAORuJ9cBi+cyKOb/MyrVLgnBlCzYU8Buvv3v655CV0cQOWYFkmKkQByLcFpAquXByaUToAnqvmImKzjSDrjjqrQ6fY4loI/Q+2QCcHhW5gJxU79W6o8DoA56iqirhOnw50ouZnM/eTpAKdTRyk5k79yCS5dXNce0H2ZmJcBoDDp74YO6P2M0SXPjTRUX4nLc5L4jbOnVpgHrNK9TWmWD/WY9opFmVGFnCAYB762/9J41p3asLWpCGmFFVPPNHcbhcAUxhhJZ18q1XlX+qFjjq6ocuUn96+yXXFECDysfemG8JUMonkdZL+mWZ0br746jv/6IUARk2f5KtI4i4AjJgLwQgti+0Nc+WgQCwJ7VgjdnKMQef1QdyYdnHsCpAFY7QXAxx1MdZefms83BR4sHinjUAWlFTfEnEpyWkl7FKQ/HhUdrfpaGlGiuQuoyO2+sLXEYRto2RMzlwyh2fQcLfZjL/i0jzRzom7Cp0t23PamceTuPYwl/YQrKto3asMTz4Ai4c40qkgWFgLzEacMvFaLaZjTS3q/jV2Rq0s
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9d465a3a-2108-420d-844b-08d920b1f26f
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 May 2021 01:51:29.4009 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: u+w92jRGKCnxvvZtDIFzDmBTGYWDlrAlj0DCq66JlOiXr4jimL3dBLtDabJuh4Fu2WLd1xSdiXEL529CWd0wCw2Rzq+XNq9VJHyBhMMLMkk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBPR01MB5485
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/5pgz4AJ25H17nlWlFS-_ltDnsjs>
Subject: Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2021 01:51:40 -0000
Justin Richer <jricher@mit.edu> writes: >I had been using one library that defaults this to 20, another library >defaults it to (I think?) 32, and another library seems to vary it based on >the SHA hash size. Is there a best practice here, or a way to determine what >the correct salt length is? I couldn’t find anything in RFC8017 that suggests >an appropriate value, so if I’m just missing it please point me to it. In theory the spec suggests using the hash size, but as you've found in practice everyone seems to do whatever they feel like, and it's not just for the salt size, since PSS leaves almost everything as a user-choice parameter you'll find all sorts of weird unexpected stuff there, with endless weird corner cases that you'd think no-one would ever implement until you find something that does. One thing to look out for is the leading-bits-trimming that's required but very well disguised in the spec, since some implementations do it and some don't. A more general comment is that it'd make more sense to specify PKCS #1 with encode-then-memcmp() rather than forcing people to guess how other implementations of PSS work, it's just a huge implementation headache that'll be repeated for everyone who has to do it. Peter.
- [CFRG] RSA PSS Salt Length for HTTP Message Signa… Justin Richer
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Russ Housley
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Peter Gutmann
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Justin Richer
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… John Mattsson
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Justin Richer
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Richard Outerbridge
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Brian Smith
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Benjamin Kaduk
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Martin Thomson
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Peter Gutmann
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Salz, Rich
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Justin Richer
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Brian Smith
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Salz, Rich
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… denis bider
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Neil Madden
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Neil Madden
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Peter Gutmann
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Neil Madden