Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures

Justin Richer <jricher@mit.edu> Thu, 27 May 2021 19:08 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DB193A0818 for <cfrg@ietfa.amsl.com>; Thu, 27 May 2021 12:08:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.096
X-Spam-Level:
X-Spam-Status: No, score=-4.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W3d1v4NTyWmh for <cfrg@ietfa.amsl.com>; Thu, 27 May 2021 12:08:11 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC9943A07D4 for <cfrg@irtf.org>; Thu, 27 May 2021 12:08:10 -0700 (PDT)
Received: from [192.168.1.49] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 14RJ842t023359 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 May 2021 15:08:05 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <F5BBDCAC-17FE-49E8-B3DC-FE6C9BC22B64@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0B94B25D-7871-4688-9628-12EDE13190A5"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.6\))
Date: Thu, 27 May 2021 15:08:04 -0400
In-Reply-To: <HE1PR0701MB30509CFAC2752751667D11EA89239@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Cc: Russ Housley <housley@vigilsec.com>, IRTF CFRG <cfrg@irtf.org>
To: John Mattsson <john.mattsson@ericsson.com>
References: <1EED8807-C5C5-461F-BE60-34C44791849E@mit.edu> <1BF68544-CB14-4A60-88BB-4E80E2D9A094@vigilsec.com> <3C751F77-2362-4099-850B-263C08F60AC4@mit.edu> <HE1PR0701MB30509CFAC2752751667D11EA89239@HE1PR0701MB3050.eurprd07.prod.outlook.com>
X-Mailer: Apple Mail (2.3608.120.23.2.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/CTBai5Pw5MA48fpWj7pNbVDZbhc>
Subject: Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2021 19:08:17 -0000

Thank you for this follow up. When I was just updating my test vector implementation I saw this as another optional parameter alongside the salt length and so I was about to ask if this was important to specify. I see here that it is. :)

I will swing back around to this list once I have a PR on the HTTP document for feedback on the details of the specification text across the different algorithm types.

Thank you all again, this has been very helpful.
 — Justin

> On May 27, 2021, at 1:10 PM, John Mattsson <john.mattsson@ericsson.com> wrote:
> 
> Don't forget to specify the mask generation function (MGF). That is another important input. RSA-PSS use two different hash functions that can be different. I have seen implementations of RSA-PSS with SHA2 that only support MGF‐1 with SHA‐1.
>  
> Modern standards like CAB Forum Baseline Requirement, JOSE, and COSE, RFC 8692 require use of the same hash algorith for both. CAB Forum Baseline Requirement calls it:
>  
> "RSASSA‐PSS with SHA‐512, MGF‐1 with SHA‐512, and a salt length of 64 bytes"
>  
> Cheers,
> John
>  
> From: CFRG <cfrg-bounces@irtf.org> on behalf of Justin Richer <jricher@mit.edu>
> Date: Thursday, 27 May 2021 at 18:14
> To: Russ Housley <housley@vigilsec.com>
> Cc: IRTF CFRG <cfrg@irtf.org>
> Subject: Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures
> 
> Thank you! That is clear guidance and we can use that to set a known value since we are fixing the hash size, in this specific case. 
>  
>  — Justin
> 
> 
> On May 26, 2021, at 5:38 PM, Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote:
>  
> RFC 4055 has this recommendation:
>  
>          The saltLength field is the octet length of the salt.  For a
>          given hashAlgorithm, the recommended value of saltLength is the
>          number of octets in the hash value.
>  
> Russ
> 
> 
> On May 26, 2021, at 4:45 PM, Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>> wrote:
>  
> Hi everyone,
>  
> I’m one of the editors of the HTTP Message Signatures spec, and I’ve got a question that I was told this list might be a good place to find an answer for. The latest draft of the spec is here if you want to follow along:
>  
> https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html <https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html>
>  
> For some background, this spec defines methods for normalizing and signing HTTP messages (both request and response), along with ways to attach the results of that signature to the HTTP message. This is a draft of the HTTP WG. While applications can profile this with any algorithm that can take in the input string and output the byte array signature, we are defining a handful of general-use signature algorithm methods that can be signaled explicitly.
>  
> One of the methods we’re defining uses RSA PSS with SHA512 for a hash. What we’ve discovered in implementation is that it seems like there might be a couple other parameters that also need to be specified, specifically the “salt length”. I had been using one library that defaults this to 20, another library defaults it to (I think?) 32, and another library seems to vary it based on the SHA hash size. Is there a best practice here, or a way to determine what the correct salt length is? I couldn’t find anything in RFC8017 that suggests an appropriate value, so if I’m just missing it please point me to it. 
>  
> The current text from the signatures spec is the following, and I’d plan to just add “the salt length (sLen) value is (XX)” in both the sign and verify sections below:
>  
> To sign using this algorithm, the signer applies the RSASSA-PSS-SIGN (K, M) function [RFC8017 <https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html#RFC8017>] with the signer's private signing key (K) and the signature input string (M) (Section 2.5 <https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html#create-sig-input>). The hash SHA-512 [RFC6234 <https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html#RFC6234>] is applied to the signature input string to create the digest content to which the digital signature is applied. The resulting signed content byte array (S) is the HTTP message signature output used in Section 3.1 <https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html#sign>.
>  
> To verify using this algorithm, the verifier applies the RSASSA-PSS-VERIFY ((n, e), M, S) function [RFC8017 <https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html#RFC8017>] using the public key portion of the verification key material ((n, e)) and the signature input string (M) re-created as described in Section 3.2 <https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html#verify>. The hash function SHA-512 [RFC6234 <https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html#RFC6234>] is applied to the signature input string to create the digest content to which the verification function is applied. The verifier extracts the HTTP message signature to be verified (S) as described in Section 3.2 <https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html#verify>. The results of the verification function are compared to the http message signature to determine if the signature presented is valid.
>  
> Thank you so much for your help, and please be sure to CC me on replies as I am not subscribed to this list. 
>  — Justin
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org <mailto:CFRG@irtf.org>
> https://www.irtf.org/mailman/listinfo/cfrg <https://protect2.fireeye.com/v1/url?k=0037cec6-5facf624-00378e5d-86073b36ea28-55e61acee15efdff&q=1&e=b4afe96e-fb2a-4ebe-bd17-1b9dd11b902a&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg>