IETF Logo Mail Archive

Re: [Cfrg] pkcs#1v1.5

Johannes Merkle <johannes.merkle@secunet.com> Mon, 24 March 2014 14:00 UTC

Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ECF41A021F for <cfrg@ietfa.amsl.com>; Mon, 24 Mar 2014 07:00:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.711
X-Spam-Level:
X-Spam-Status: No, score=-0.711 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i37oEelpvdWD for <cfrg@ietfa.amsl.com>; Mon, 24 Mar 2014 07:00:35 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) by ietfa.amsl.com (Postfix) with ESMTP id DC6301A021B for <cfrg@irtf.org>; Mon, 24 Mar 2014 07:00:33 -0700 (PDT)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 50A8E1A00AA; Mon, 24 Mar 2014 15:00:32 +0100 (CET)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id BAkf-DaLzcEA; Mon, 24 Mar 2014 15:00:30 +0100 (CET)
Received: from mail-gw-int (unknown [10.53.40.207]) by a.mx.secunet.com (Postfix) with ESMTP id B4D0F1A00A8; Mon, 24 Mar 2014 15:00:30 +0100 (CET)
Received: from [10.53.40.204] (port=10810 helo=mail-essen-01.secunet.de) by mail-gw-int with esmtp (Exim 4.80 #2 (Debian)) id 1WS5J7-0007Jx-NN; Mon, 24 Mar 2014 14:52:53 +0100
Received: from [10.208.1.57] (10.208.1.57) by mail-essen-01.secunet.de (10.53.40.204) with Microsoft SMTP Server (TLS) id 14.3.174.1; Mon, 24 Mar 2014 15:00:30 +0100
Message-ID: <53303A7D.9010304@secunet.com>
Date: Mon, 24 Mar 2014 15:00:29 +0100
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Russ Housley <housley@vigilsec.com>, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>, IRTF CFRG <cfrg@irtf.org>
References: <239D7A53E5B17B4BB20795A7977613A40207DB59F189@CROEXCFWP04.gemalto.com> <9cb524b6-c260-484e-bf44-45d52e7319a1@email.android.com> <CF522EF0.19491%kenny.paterson@rhul.ac.uk> <532D99CA.10405@cs.tcd.ie> <CF535271.19584%kenny.paterson@rhul.ac.uk> <14C0D5FC-4878-4E9D-85CA-C57CC77CB9AD@vigilsec.com>
In-Reply-To: <14C0D5FC-4878-4E9D-85CA-C57CC77CB9AD@vigilsec.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.208.1.57]
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/NSntLaf7IO0TF-yQy1UmSpthWSw
Cc: IETF SAAG <saag@ietf.org>
Subject: Re: [Cfrg] pkcs#1v1.5
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Mar 2014 14:00:37 -0000

6 months ago, I raised the question on the tls mailing list, if we shouldn't allow usage of RSA-PSS signatures in TLS.
There was almost no support for that idea and the arguments I faced were
 - The need to support both legacy RSA and RSA-PSS introduces considerable complexity, in particular, if we try to reuse
existing cipher suites
 - PSS doesn't give much benefit over PKCS#1v1.5. As Peter Gutmann put it: "I know
it's *theoretically* better, but unless you do -1.5 really badly there's no
practical weakness that would encourage an upgrade."

I was told that there was an attempt, some years ago, to mandate RSA-PSS for certificates.  It was met with pretty much
universal rejection, to the extent that people would probably ignore the requirement even if it was made a MUST in the
spec and as a result was dropped.

Clearly the issue with PKCS#1v1.5 encryption is worse, so there might be more urge to migrate to OAEP. As development of
TLS 1.3 is just about to start, this might be the right time.

Johannes


Russ Housley schrieb am 23.03.2014 22:12:
> {top post}
> 
> Last December, on two separate SAAG mail list threads, I suggested that we begin the migration to RSA-OAEP and RSA-PSS.  I have copied the first message in each of those threads below to save folks time with the mail archive search.  I continue to believe that we should begin this migration.
> 
> It takes a really long time to make such a transition.  Let's get started today.
> 
> Russ
> 
> = = = = = = = = =
> 
> From: Russ Housley <housley@vigilsec.com>
> Date: December 4, 2013 5:40:33 AM EST
> To: IETF SAAG <saag@ietf.org>
> Subject: [saag] RSA-OAEP
> 
> We have known for a very long time that PKCS #1 Version 1.5 (see RFC 2313) key transport is vulnerable to adaptive chosen ciphertext attacks.  Exploitation reveals the result of a particular RSA decryption, requires access to an oracle which will respond to a hundreds of thousands of ciphertexts, which are constructed adaptively in response to previously-received replies providing information on the successes or failures of attempted decryption operations.  As a result, the attack appears significantly less feasible in store-and-forward environments than interactive ones.
> 
> PKCS #1 Version 2.0 and Version 2.1 (see RFC 3447) include RSA-OAEP to address this situation, but we have seen very little movement toward RSA-OAEP.  While we are reviewing algorithm choices in light of the pervasive surveillance situation, I think we should take the time to address known vulnerabilities like this one.  If we don't, then we are leaving an partially open door for a well funded attacker.
> 
> Russ
>

v2.23.0 | Report a Bug | By Email