Re: [Cfrg] Question about RSA keys

Yoav Nir <ynir.ietf@gmail.com> Sat, 19 November 2016 12:45 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57A54129591 for <cfrg@ietfa.amsl.com>; Sat, 19 Nov 2016 04:45:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IKDvyLDWMz59 for <cfrg@ietfa.amsl.com>; Sat, 19 Nov 2016 04:45:11 -0800 (PST)
Received: from mail-wj0-x236.google.com (mail-wj0-x236.google.com [IPv6:2a00:1450:400c:c01::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A77FC129475 for <cfrg@irtf.org>; Sat, 19 Nov 2016 04:45:10 -0800 (PST)
Received: by mail-wj0-x236.google.com with SMTP id xy5so7204245wjc.0 for <cfrg@irtf.org>; Sat, 19 Nov 2016 04:45:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+4Qv6Te2K3J/X4Y9J0Vcifzn/TQ3L7v+7bPAd5GRaIg=; b=KICYKCjrHdQ5WedbX0mbMhqDe/YQLm6itUA1ScP+iMysfCcg9O5eBecqTy7XzL7Jn0 HCqCCD6cNZKX4NGPM/rOBjuTnKUZIdViK2P21p3tJGMHMrhox8F0znDxkZfQt6GHuuG8 9pRsHHH3hA8Xv2cP7ywyURJfjaMh8PD083g3AokcRWm0rkCg5T9hD0YgodEbPUJvBfuW /z5nzh9uYBCSim+rQAXeuu+j0yN9TL+Wzaf7LIY2jNFh79kg7yxK/j3z271M4/SyCWAm eu/TF1JTppkR/TXSGqlZze/wXbA1shzhjfKsD4eeAW74/vjxknxMBJXFTUfabfqwQvVW F8WQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+4Qv6Te2K3J/X4Y9J0Vcifzn/TQ3L7v+7bPAd5GRaIg=; b=XtuvPSpToac/OXucZc5xe59zxfqPg3tIeMxX5qWmmDl8f36F9pSZj3V1siRYX/OncJ gFXfADJMX1yxohsa0bgG/q9cF/TbJ/XBnRCgxLHsli+VdZhFPk6xacuJWexf4ZUQObtX lozzvy9xa4DkzLPZ7Sa6dU5czb+P2fCG0JMndgNXu2gQe+TUCXFERky2u45K3dZKCIuE ekrlRaEqvcOd/np8ly0PRSyuPTuPYIwYzHFgahHKUPA+fPUVzSf2q/ZxdPduAoQ1oCME ZPDacBwUPGPra0ZwjtevyEz1E1mEfuZ6xoeKjfJ15gYa2IPEBWRSe+VB4JCv40Zi1rr0 Y/Jw==
X-Gm-Message-State: AKaTC00eYZN6K1fE0fXvVp9y5ZGnGtZVg0EQ2m442kAUfKRn/F+TWAa/iY5nuZUj9maBWQ==
X-Received: by 10.194.47.203 with SMTP id f11mr2916419wjn.146.1479559509109; Sat, 19 Nov 2016 04:45:09 -0800 (PST)
Received: from [192.168.1.14] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id l74sm8636003wmg.2.2016.11.19.04.45.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 19 Nov 2016 04:45:08 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <20161119100659.085a675a@pc1>
Date: Sat, 19 Nov 2016 14:45:06 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <F3DDC363-648F-4E19-ADC6-9CB577511243@gmail.com>
References: <449BC933-5758-48E3-8A6B-DF57058F8665@gmail.com> <20161119100659.085a675a@pc1>
To: =?utf-8?Q?Hanno_B=C3=B6ck?= <hanno@hboeck.de>
X-Mailer: Apple Mail (2.3251)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/8-jT3xubGwMPAs-3JKyKdd52eYQ>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Question about RSA keys
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Nov 2016 12:45:12 -0000

> On 19 Nov 2016, at 11:06, Hanno Böck <hanno@hboeck.de> wrote:
> 
> On Sat, 19 Nov 2016 10:48:18 +0200
> Yoav Nir <ynir.ietf@gmail.com> wrote:
> 
>> However, most servers (and clients) in the foreseeable future are
>> going to support both TLS 1.2 and TLS 1.3, and they’re going to do
>> this with a single certificate that might have an RSA key.
>> 
>> So my question is, is there a problem with having the server (or
>> client) signing some TLS transcripts with PKCS#1 and others with
>> RSA-PSS? 
> 
> This came up before. Ideally you'd want key separation, but this is
> complicated. There are to my knowledge no known attacks that exploit
> the combination of PKCS #1 1.5 and PSS.

Thanks, that’s what I thought I remembered.

> However we've been using the same keys for PKCS #1 1.5 encryption and
> signatures for ages and this is most likely more concerning, see [1]
> and DROWN [2].
> I think the theoretical concerns about mixing PKCS #1 1.5 and PSS
> with the same key are minor compared to the issues raised by combining
> encryption and signatures with the same key.

Yes, and RSA decryption can be avoided even in TLS 1.2 and earlier with a proper selection of ciphersuites.

Yoav