Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures
Brian Smith <brian@briansmith.org> Thu, 27 May 2021 23:15 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 892393A17A6 for <cfrg@ietfa.amsl.com>; Thu, 27 May 2021 16:15:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 766Ly3aKhzId for <cfrg@ietfa.amsl.com>; Thu, 27 May 2021 16:15:45 -0700 (PDT)
Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B42F63A17A1 for <cfrg@irtf.org>; Thu, 27 May 2021 16:15:45 -0700 (PDT)
Received: by mail-pf1-x431.google.com with SMTP id p39so1789264pfw.8 for <cfrg@irtf.org>; Thu, 27 May 2021 16:15:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=x7L9K+0dk88S+W/LbghGFwnWm75MJbIJT3ssRs/HHpc=; b=fR4EY1m3wcJYYo/d7wssgt1ge77oM40PNqF3npJUV+gxOoawjU7WuXOU6tIfqrUoxj IDAkDfWGt+/lt/INzxU5+fW8u4VHJADTzOFxW1MyW8kzYb/ZsENoSUoY4ETBa/ImwDjr j9+7TTZOrCi9OCOha7L4ZuHd4GXEd/oet06OlpsVJn+N2zRf+JB15XIj8hoC3TtaFOBr WBpiaJPKMX/E4ROPWWWSiUjRAsIWOQDYryv+UyRcFJKnT5XPdSLxmCTIrjDHB9vQ57kD /+eQTxd7b7YSyUDU/D0gack97kfA2beMCvuXD53QQpAqIQajinBg+pRQMHh/HffoB8cz Dcrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=x7L9K+0dk88S+W/LbghGFwnWm75MJbIJT3ssRs/HHpc=; b=QpkBRmmz/EWrwpDGVIRVo8R8QTAeHsfWLNOszsgBVC9yUZN1w2pH7Gdu/tBWDTmqv0 DRm0ioY8IAYd7ViKNYHuvzldJ/R81QJz9Z6lFPx9Bddw4WgI/n13Har/35fPgZYrI5QK nijok2e8fVhcxZEFzZeIW79KYCNhrxrenlev3oh779dVWtq00hKZ+6/5fpxeQilz7+xf SznYOXFNf5QN1On8xriub1WCYcQJLZsOfCUDcJ+1zi80wAyXZc+6UHtgb4Xqhj+Lyfv9 qBUViZrLmmVsX6aYPpQhibJgtOsQeXCgNWKeSmo6kAjCwXb9fJvGwtse8qfKE5sFw2ay ab8A==
X-Gm-Message-State: AOAM532vpD9IDxMJl9DI4lWeI2TFyDEWHpzVwYvpZaL8ESfqeCxW38vW Dz6jsIkVQLpB+JY4f5T2G0PFt5F6I5g1dtSB8AqPbQ==
X-Google-Smtp-Source: ABdhPJzZI2yvH/GN/i7YKUmAw4FF2gXB0Jqryp2tCSxT5QS6U9ik6Se7mrCMTyWfnAdzxwx/f76X2DJzb6YF5Clqx7s=
X-Received: by 2002:aa7:8bd5:0:b029:2d6:ab78:7770 with SMTP id s21-20020aa78bd50000b02902d6ab787770mr789220pfd.59.1622157344159; Thu, 27 May 2021 16:15:44 -0700 (PDT)
MIME-Version: 1.0
References: <1EED8807-C5C5-461F-BE60-34C44791849E@mit.edu> <1BF68544-CB14-4A60-88BB-4E80E2D9A094@vigilsec.com>
In-Reply-To: <1BF68544-CB14-4A60-88BB-4E80E2D9A094@vigilsec.com>
From: Brian Smith <brian@briansmith.org>
Date: Thu, 27 May 2021 16:15:32 -0700
Message-ID: <CAFewVt54d6NGEYOX6Tx=gMf+p9NqTVkb9VkRxr+VZL5eDSmhmA@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Justin Richer <jricher@mit.edu>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000044d87305c357f043"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Rgmq_q_kAqS2ZeVHaW9v10rq59s>
Subject: Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2021 23:15:51 -0000
Russ Housley <housley@vigilsec.com> wrote: > RFC 4055 has this recommendation: > > The saltLength field is the octet length of the salt. For a > given hashAlgorithm, the recommended value of saltLength is the > number of octets in the hash value. > I recommend that you follow the example of TLS 1.3 [1], which is compatible with that recommendation in RFC 4055: RSASSA-PSS [RFC8017 <https://datatracker.ietf.org/doc/html/rfc8017>] with mask generation function 1. The digest used in the mask generation function and the digest being signed are both the corresponding hash algorithm as defined in [SHS <https://datatracker.ietf.org/doc/html/rfc8446#ref-SHS>]. The length of the Salt MUST be equal to the length of the digest algorithm. If the public key is carried in an X.509 certificate, it MUST use the RSASSA-PSS OID [RFC5756 <https://datatracker.ietf.org/doc/html/rfc5756>]. [...] The algorithm parameters MUST be DER encoded. If the corresponding public key's parameters are present, then the parameters in the signature MUST be identical to those in the public key. Some crypto libraries (e.g. mine) only support this exact form of PSS signatures, both generating and verifying. I am not sure if the rationale for TLS 1.3's strictness is given anywhere, but it underwent significant discussion before the above strict form was agreed upon. [1] https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3 Cheers, Brian
- [CFRG] RSA PSS Salt Length for HTTP Message Signa… Justin Richer
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Russ Housley
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Peter Gutmann
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Justin Richer
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… John Mattsson
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Justin Richer
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Richard Outerbridge
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Brian Smith
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Benjamin Kaduk
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Martin Thomson
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Peter Gutmann
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Salz, Rich
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Justin Richer
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Brian Smith
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Salz, Rich
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… denis bider
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Neil Madden
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Neil Madden
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Peter Gutmann
- Re: [CFRG] RSA PSS Salt Length for HTTP Message S… Neil Madden