Re: [Cfrg] Question from JOSE working group
"Jim Schaad" <ietf@augustcellars.com> Tue, 03 July 2012 21:29 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C32921F86B3 for <cfrg@ietfa.amsl.com>; Tue, 3 Jul 2012 14:29:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.408
X-Spam-Level:
X-Spam-Status: No, score=-3.408 tagged_above=-999 required=5 tests=[AWL=0.191, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hHd5p6DiN55z for <cfrg@ietfa.amsl.com>; Tue, 3 Jul 2012 14:29:30 -0700 (PDT)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id 5359921F86B5 for <cfrg@irtf.org>; Tue, 3 Jul 2012 14:29:30 -0700 (PDT)
Received: from Tobias (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 1EE362CA15; Tue, 3 Jul 2012 14:29:39 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: "'Richard L. Barnes'" <rbarnes@bbn.com>
References: <FFFFB6D6-08A6-4989-99B1-BC1F677AEBD0@vigilsec.com> <41F795C1-BD4F-4732-8F1A-62F909E9AA07@bbn.com> <1499CA50-2239-4102-BA1A-04104EAC57DF@vigilsec.com> <03b301cd5943$693f2800$3bbd7800$@augustcellars.com> <7C1A94EE-8633-4FA7-A936-E82FDA6A5FB9@bbn.com>
In-Reply-To: <7C1A94EE-8633-4FA7-A936-E82FDA6A5FB9@bbn.com>
Date: Tue, 03 Jul 2012 14:28:16 -0700
Message-ID: <03c801cd5962$c3182920$49487b60$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQDe91NbMO1Nq06fh8taxrYdt/CHCALpPHJBAWJNYUkCIgYT+gJ3iACymK2qUNA=
Content-Language: en-us
Cc: cfrg@irtf.org, jose@ietf.org
Subject: Re: [Cfrg] Question from JOSE working group
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2012 21:29:31 -0000
As I said - with the introduction of new signature algorithms led to the fact that the hash algorithm was no longer protected. If you are looking at breaking an RSA signature, you have two ways of going about it. You can either break the hash in some way - or you can factor the RSA keys. The RSA problem is related to the factoring of the keys and has little to do with attacking the hash algorithm. If I could get you to substitute my hash algorithm for the actual hash algorithm used, and they had the same hash value for different messages then the RSA problem is not relevant for the purposes of the attack. The PKCS#1.5 RSA defended against this by placing the hash algorithm identifier in as part of the "to be signed" value. This was both good - the hash algorithm was defended and bad - there were lots of known bits fixed bits in the signature block for lots of signatures. There can be operational/convention steps that deal with this - for example there is a suggested practice that the hash algorithm used in the RSA-PSS signature operation and the one computing the hash of the message should be the same. But there is no current requirement that these steps be followed. (Oops - need to file an erratum on RFC 4056 about what to do for a hash algorithm if signed attributes are not used.) The reason for writing RFC 6211 was precisely the issue of protecting the hash algorithm used in the signature operation in those cases where it was not completely obvious (i.e DSA which only permitted one signature algorithm) or it was not included in the cryptographic block (RSA v1.5). Jim > -----Original Message----- > From: Richard L. Barnes [mailto:rbarnes@bbn.com] > Sent: Tuesday, July 03, 2012 12:59 PM > To: Jim Schaad > Cc: 'Russ Housley'; cfrg@irtf.org; jose@ietf.org > Subject: Re: [Cfrg] Question from JOSE working group > > More precisely: > RSASSA-PKCS1-v1_5 includes the hash algorithm under the signature > RSASSA-PSS (introduced in PKCS#1 v2.1) does not include the hash algorithm > > Doesn't this seem to argue against the need to protect parameters, since the > security of RSASSA-PSS is tightly related to the RSA problem itself? > > > On Jul 3, 2012, at 1:43 PM, Jim Schaad wrote: > > > I would also note that when PKCS#7 was designed, the hash algorithm > > was always protected independent the presence of signed attributes. > > Either the hash algorithm was in the signed attributes or it was in the RSA > signature > > block encoding. It was only with the introduction of other algorithms that > > this was no longer true. > > > > Jim > > > > > >> -----Original Message----- > >> From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf > >> Of Russ Housley > >> Sent: Tuesday, July 03, 2012 8:02 AM > >> To: Richard L.Barnes > >> Cc: cfrg@irtf.org; jose@ietf.org > >> Subject: Re: [Cfrg] Question from JOSE working group > >> > >> Richard: > >> > >>> Actually, the inclusion of the hash algorithm under the signature is > > optional: > >>> " > >>> signedAttrs is a collection of attributes that are signed. The > >>> field is optional, but it MUST be present if the content type of > >>> the EncapsulatedContentInfo value being signed is not id-data. > >>> [...] If the field is present, it MUST > >>> contain, at a minimum, the following two attributes: > >>> > >>> ... > >>> > >>> A message-digest attribute, having as its value the message > >>> digest of the content. Section 11.2 defines the message-digest > >>> attribute. > >>> " > >>> > >>> Since "id-data" means "no more ASN.1 structure", for JOSE, the > >>> content > >> type is effectively always "id-data". > >> > >> In practice, there are other attributes that one wants signed, such > >> as > > signing- > >> time, so the algorithm identifier gets included. > >> > >> Russ > >> > >> _______________________________________________ > >> Cfrg mailing list > >> Cfrg@irtf.org > >> http://www.irtf.org/mailman/listinfo/cfrg > >
- [Cfrg] Question from JOSE working group Richard L. Barnes
- Re: [Cfrg] Question from JOSE working group Mike Jones
- Re: [Cfrg] [jose] Fwd: Question from JOSE working… Richard L. Barnes
- Re: [Cfrg] Question from JOSE working group Russ Housley
- Re: [Cfrg] Question from JOSE working group Richard L. Barnes
- Re: [Cfrg] Question from JOSE working group Richard L. Barnes
- Re: [Cfrg] [jose] Question from JOSE working group John Bradley
- Re: [Cfrg] [jose] Question from JOSE working group Weger, B.M.M. de
- Re: [Cfrg] [jose] Question from JOSE working group John Bradley
- Re: [Cfrg] Question from JOSE working group Russ Housley
- Re: [Cfrg] Question from JOSE working group Jim Schaad
- Re: [Cfrg] Question from JOSE working group Richard L. Barnes
- Re: [Cfrg] Question from JOSE working group Jim Schaad