Re: [Cfrg] Reference for hash substitution attack against RSASSA-PSS and its mitigation

Dan Brown <danibrown@blackberry.com> Mon, 05 June 2017 14:03 UTC

Return-Path: <danibrown@blackberry.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA8EF129553 for <cfrg@ietfa.amsl.com>; Mon, 5 Jun 2017 07:03:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L_l3faPPm1Z0 for <cfrg@ietfa.amsl.com>; Mon, 5 Jun 2017 07:03:47 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97B78129649 for <cfrg@irtf.org>; Mon, 5 Jun 2017 07:03:47 -0700 (PDT)
Received: from xct105cnc.rim.net ([10.65.161.205]) by mhs214cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 05 Jun 2017 10:03:46 -0400
Received: from XCT113CNC.rim.net (10.65.161.213) by XCT105CNC.rim.net (10.65.161.205) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 5 Jun 2017 10:03:45 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT113CNC.rim.net ([::1]) with mapi id 14.03.0319.002; Mon, 5 Jun 2017 10:03:44 -0400
From: Dan Brown <danibrown@blackberry.com>
To: Mike Jones <Michael.Jones@microsoft.com>, "cfrg@irtf.org" <cfrg@irtf.org>
CC: Steve KENT <steve.kent@raytheon.com>
Thread-Topic: Reference for hash substitution attack against RSASSA-PSS and its mitigation
Thread-Index: AdLb26Zx24x4lnXmRNe6X+ajH2VGUACJ9uGQ
Date: Mon, 5 Jun 2017 14:03:43 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF501B1CFB4@XMB116CNC.rim.net>
References: <CY4PR21MB050485ED3B9A02F48EC2E81EF5F70@CY4PR21MB0504.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB050485ED3B9A02F48EC2E81EF5F70@CY4PR21MB0504.namprd21.prod.outlook.com>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.250]
Content-Type: multipart/alternative; boundary="_000_810C31990B57ED40B2062BA10D43FBF501B1CFB4XMB116CNCrimnet_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/JycdWrl4OlKAq29nXULe-UZjdiM>
Subject: Re: [Cfrg] Reference for hash substitution attack against RSASSA-PSS and its mitigation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jun 2017 14:03:50 -0000

Just a guess: perhaps this old presentation by Kaliski:

http://grouper.ieee.org/groups/1363/Research/contributions/HashFunctionFirewalls.pdf

is relevant?

Probably even more off-topic: as I recall, the standardized version of PSS pre-hashes the message, whereas the original academic Bellare-Rogaway version does not.  The difference between the standard and the academic version is a little like the difference between Schnorr and DSA-style signatures.  So, for standard PSS, the hash must resist collisions, pre-images, etc., whereas for the original PSS, perhaps much less is needed from hash (the proof assumes a super-strong hash, of course).  I suppose that this in turn may be a concern for hash substitutions ...

From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Mike Jones
Sent: Friday, June 2, 2017 4:06 PM
To: cfrg@irtf.org
Cc: Steve KENT <steve.kent@raytheon.com>
Subject: [Cfrg] Reference for hash substitution attack against RSASSA-PSS and its mitigation

Is there a paper that describes the theoretical hash substitution attacks against RSASSA-PSS and how they are mitigated?

                                                                Thanks,
                                                                -- Mike