Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 28 May 2021 03:10 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65E453A1331 for <cfrg@ietfa.amsl.com>; Thu, 27 May 2021 20:10:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1AjPLP7jetpg for <cfrg@ietfa.amsl.com>; Thu, 27 May 2021 20:10:53 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80D5D3A132C for <cfrg@irtf.org>; Thu, 27 May 2021 20:10:52 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2241.outbound.protection.outlook.com [104.47.71.241]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-88-HIYBLRG0Muq57AMHFXZxZQ-1; Fri, 28 May 2021 13:10:46 +1000
X-MC-Unique: HIYBLRG0Muq57AMHFXZxZQ-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SY4PR01MB6864.ausprd01.prod.outlook.com (2603:10c6:10:139::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.21; Fri, 28 May 2021 03:10:38 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9965:92dd:f5b:87a7]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9965:92dd:f5b:87a7%6]) with mapi id 15.20.4173.021; Fri, 28 May 2021 03:10:38 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Justin Richer <jricher@mit.edu>
CC: IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] RSA PSS Salt Length for HTTP Message Signatures
Thread-Index: AQHXUnA7SV7QXijvqUOIIFhol5Iw0Kr2Sg6AgAE3ngCAAA/dgIAAINMAgACGDfE=
Date: Fri, 28 May 2021 03:10:37 +0000
Message-ID: <SY4PR01MB62518EDBDBF1867BDBC2EAE2EE229@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <1EED8807-C5C5-461F-BE60-34C44791849E@mit.edu> <1BF68544-CB14-4A60-88BB-4E80E2D9A094@vigilsec.com> <3C751F77-2362-4099-850B-263C08F60AC4@mit.edu> <HE1PR0701MB30509CFAC2752751667D11EA89239@HE1PR0701MB3050.eurprd07.prod.outlook.com>, <F5BBDCAC-17FE-49E8-B3DC-FE6C9BC22B64@mit.edu>
In-Reply-To: <F5BBDCAC-17FE-49E8-B3DC-FE6C9BC22B64@mit.edu>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [14.1.76.172]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4a29d190-2912-426f-14e4-08d921862b1b
x-ms-traffictypediagnostic: SY4PR01MB6864:
x-microsoft-antispam-prvs: <SY4PR01MB686494D9D6A569326FF4FD5AEE229@SY4PR01MB6864.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6430
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: z1Evw5UqWGBJrW+d8h7pjSF2Wq0+Iz9aFnA/7yf2EtLwBVF5jqcxuZ29Jf43G5qOsRoGu2OYn90EmY68XLPr/RVw/QyQ3ksn+1LY12s/OA0Tl3nwwaKwdJDUeovsYDyqDIEX1MeHhAtRrrdy90K5VE3XYE+223fHDLji4a9t/OPtHfPWyh4YsytxabsVmA4GzjfQheAJtz8YxKWzzBFZ0XnhZmVc7jpBMHJ8tKfpRvMD5DvOW4IbJ7GKYi4MSd9jKwxVnc6y8LDmYZS5bpoTSdyUP4bBrY97+K+oRrhnISj4PZNynCYfwMn5RkBxGrleL4W2d78qkAqEGl6SWqJdGGNfbvuCIWRDCFTOnvSW+KZF6UZBOa6V7dfYw0pIAbzb9sci7kXSORrDFfDPPnu4FnLcWM8bSkOtB8RTetnCy5AruBd2kVmh7YK2mURftmfGUANEMrCjxAhJ3PTdx6Vd8j0huGqUCV45spIj24Wf12FNlABgbg4XHwXlkFx532N++gHYupF9iITCUPLePPQ3FAu8kQ1KjoU/4WvWJIBqyBgD44HDL+dAYtR0hzdaIbLp1lBi5lU1OzEwmZOMxmu3g/r/tzxEXQNejdEMg+CTaQ8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(376002)(346002)(136003)(396003)(366004)(9686003)(55016002)(83380400001)(786003)(7696005)(86362001)(316002)(26005)(122000001)(8936002)(6916009)(6506007)(8676002)(186003)(478600001)(5660300002)(64756008)(66476007)(66446008)(66556008)(66946007)(76116006)(33656002)(4744005)(38100700002)(4326008)(2906002)(71200400001)(52536014); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?V76ck4a5AjsleqMfoK3SEcfStFyVplDtTzrqzYvPK/CamcPJQXj9wpevPR?= =?iso-8859-1?Q?YQB8WjVRoE80BSRt4qf/d9D3rB4skkWFq8jRpQWfjjl56lmckjZvzLkktq?= =?iso-8859-1?Q?a/aOKPBHFnyV/AlOwjvf2nvM2qY5Z8X5pk6uQFy3j/3EO6Ic8p4kXHN1SL?= =?iso-8859-1?Q?Z3XYAon3mYlqBHmn5f1z9FK3npvb88U0x7by/prptlOu+dRdKl1lhu0H6M?= =?iso-8859-1?Q?7lT7j2VJEL5ZyJqqlu7P64JoNE1ln2JtsB3OFnPJ6KwZMdS+newP/aUFii?= =?iso-8859-1?Q?pcPCKt+Wb00KYZzbi/RFc6FtGCeDEKYQPFjz0DR1AEf7NLX1u1P/yMdGO4?= =?iso-8859-1?Q?fcQijt8WPD0ua/GfHD1Uri+Ovh9cuD/CA16JK8nwjmI3VZ8cbmSVh7QKeB?= =?iso-8859-1?Q?rbz9sHDNc0hTpGCmGkEZujet22GEnoSNwUEyjcK3UTSeFJ/scHmjtuwwL0?= =?iso-8859-1?Q?CH0qy5hOF+vATgRzWVSks1V1FOt7sRePvCoOgdtFV1DVHs0aU/NSubAB02?= =?iso-8859-1?Q?RMZWvN4LrRIWfPwaydJKhiFU6zouSt1+6NagYm+w9snzbZDG6tKKmHPXKY?= =?iso-8859-1?Q?55KURdG8HKxC7aDetJh6JEvqq/p57HkcIbFWY89Zj8pi3KkNUAcMSX6DOg?= =?iso-8859-1?Q?JsLM39w1QH/EDIXAW/g4zZtGfrk4CeJykkgao3ItxDYxWHY9dYG8D6YlsF?= =?iso-8859-1?Q?HtNEzsNrnghVdY+NpjySGTAnAKMXD0dj6I9UTvEqnIX6nnn2EZEcL0vOWK?= =?iso-8859-1?Q?2V6gXGu115iNrmir0FZlIM+/Ly3PuygcM02gPLVvFFQBH+Qsi9xdp6O6BE?= =?iso-8859-1?Q?wSFDXLvXGlnlmoJG0ikJfxmB+AQWcinxZv+EMip0i/jP9y57wBbIPw/cOS?= =?iso-8859-1?Q?BKF+qAI17uJXC3ffxxgIb+BsK/KHIL4cv+zvpNOVISvJA/plro/Cgua/l3?= =?iso-8859-1?Q?gFfuTdOETaZIYA9HUtzFtOoTRol2Sfc7j3BHsiUQw+L9F7MPTp9S0MHhP5?= =?iso-8859-1?Q?Zs7VIVky6T8/C1K9xKVhpf8bBZSlCZPcZojWNz4olGi8qiLvHzwbeTPCX7?= =?iso-8859-1?Q?4Rr7u8BaTpNixksLREMnebwY1BPOO5EqbaamlzvbGSfHVN9zgUA0MYVvXl?= =?iso-8859-1?Q?yMGtxu9/86tGViog6HNLZxqojswhMaQ0csvDUHGlF92JOgVGFh+imYTfEO?= =?iso-8859-1?Q?ZueYoOj4tbENMsYmrnzgLFoZPK7OEBEOwDDUVobfTmKZ0Hca731n2zQvfV?= =?iso-8859-1?Q?vZuXrNMdwI/KVMUVSuovpAYVoxCQqSs9vj9iNsykv5Z8IwjlArmEUsSjDX?= =?iso-8859-1?Q?GtRqXuP0+OjYGSoBea3ig9OBNNuaaKnR+PIwtvGg+HM4Tx4=3D?=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4a29d190-2912-426f-14e4-08d921862b1b
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 May 2021 03:10:37.8819 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Eq2P+dIiOQaMIg55sL86eX3kKSaCKYUwwpHwhy8AfWpoppm/0nBVyAnzmuMUgUkGL9Htzw11fPWNiymBj3RIwsjPVEGXH+fA1XkYpQtkhsw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY4PR01MB6864
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/741B3vjzGpGJm3mVJCIbhnlZLBY>
Subject: Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 May 2021 03:10:55 -0000

Justin Richer <jricher@mit.edu> writes:

>When I was just updating my test vector implementation I saw this as another
>optional parameter alongside the salt length and so I was about to ask if
>this was important to specify. I see here that it is. :)

I would recommend specifying a complete cipher suite that locks down every
single variable parameter to a fixed value, hashes, MGFs, data block sizes,
everything.  Without that you're always going to get some implementation that
creates fully standards-compliant signatures that, nevertheless, nothing else
can deal with.

Or, as I mentioned, use encode-then-memcmp() PKCS #1, since there's nothing to
get wrong in there.

Peter.