IETF Logo Mail Archive

Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures

Brian Smith <brian@briansmith.org> Thu, 27 May 2021 23:15 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 892393A17A6 for <cfrg@ietfa.amsl.com>; Thu, 27 May 2021 16:15:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 766Ly3aKhzId for <cfrg@ietfa.amsl.com>; Thu, 27 May 2021 16:15:45 -0700 (PDT)
Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B42F63A17A1 for <cfrg@irtf.org>; Thu, 27 May 2021 16:15:45 -0700 (PDT)
Received: by mail-pf1-x431.google.com with SMTP id p39so1789264pfw.8 for <cfrg@irtf.org>; Thu, 27 May 2021 16:15:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=x7L9K+0dk88S+W/LbghGFwnWm75MJbIJT3ssRs/HHpc=; b=fR4EY1m3wcJYYo/d7wssgt1ge77oM40PNqF3npJUV+gxOoawjU7WuXOU6tIfqrUoxj IDAkDfWGt+/lt/INzxU5+fW8u4VHJADTzOFxW1MyW8kzYb/ZsENoSUoY4ETBa/ImwDjr j9+7TTZOrCi9OCOha7L4ZuHd4GXEd/oet06OlpsVJn+N2zRf+JB15XIj8hoC3TtaFOBr WBpiaJPKMX/E4ROPWWWSiUjRAsIWOQDYryv+UyRcFJKnT5XPdSLxmCTIrjDHB9vQ57kD /+eQTxd7b7YSyUDU/D0gack97kfA2beMCvuXD53QQpAqIQajinBg+pRQMHh/HffoB8cz Dcrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=x7L9K+0dk88S+W/LbghGFwnWm75MJbIJT3ssRs/HHpc=; b=QpkBRmmz/EWrwpDGVIRVo8R8QTAeHsfWLNOszsgBVC9yUZN1w2pH7Gdu/tBWDTmqv0 DRm0ioY8IAYd7ViKNYHuvzldJ/R81QJz9Z6lFPx9Bddw4WgI/n13Har/35fPgZYrI5QK nijok2e8fVhcxZEFzZeIW79KYCNhrxrenlev3oh779dVWtq00hKZ+6/5fpxeQilz7+xf SznYOXFNf5QN1On8xriub1WCYcQJLZsOfCUDcJ+1zi80wAyXZc+6UHtgb4Xqhj+Lyfv9 qBUViZrLmmVsX6aYPpQhibJgtOsQeXCgNWKeSmo6kAjCwXb9fJvGwtse8qfKE5sFw2ay ab8A==
X-Gm-Message-State: AOAM532vpD9IDxMJl9DI4lWeI2TFyDEWHpzVwYvpZaL8ESfqeCxW38vW Dz6jsIkVQLpB+JY4f5T2G0PFt5F6I5g1dtSB8AqPbQ==
X-Google-Smtp-Source: ABdhPJzZI2yvH/GN/i7YKUmAw4FF2gXB0Jqryp2tCSxT5QS6U9ik6Se7mrCMTyWfnAdzxwx/f76X2DJzb6YF5Clqx7s=
X-Received: by 2002:aa7:8bd5:0:b029:2d6:ab78:7770 with SMTP id s21-20020aa78bd50000b02902d6ab787770mr789220pfd.59.1622157344159; Thu, 27 May 2021 16:15:44 -0700 (PDT)
MIME-Version: 1.0
References: <1EED8807-C5C5-461F-BE60-34C44791849E@mit.edu> <1BF68544-CB14-4A60-88BB-4E80E2D9A094@vigilsec.com>
In-Reply-To: <1BF68544-CB14-4A60-88BB-4E80E2D9A094@vigilsec.com>
From: Brian Smith <brian@briansmith.org>
Date: Thu, 27 May 2021 16:15:32 -0700
Message-ID: <CAFewVt54d6NGEYOX6Tx=gMf+p9NqTVkb9VkRxr+VZL5eDSmhmA@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Justin Richer <jricher@mit.edu>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000044d87305c357f043"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Rgmq_q_kAqS2ZeVHaW9v10rq59s>
Subject: Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2021 23:15:51 -0000

Russ Housley <housley@vigilsec.com> wrote:

> RFC 4055 has this recommendation:
>
>          The saltLength field is the octet length of the salt.  For a
>          given hashAlgorithm, the recommended value of saltLength is the
>          number of octets in the hash value.
>

I recommend that you follow the example of TLS 1.3 [1], which is compatible
with that recommendation in RFC 4055:

      RSASSA-PSS [RFC8017
<https://datatracker.ietf.org/doc/html/rfc8017>] with mask generation
function 1.  The digest
      used in the mask generation function and the digest being signed
      are both the corresponding hash algorithm as defined in [SHS
<https://datatracker.ietf.org/doc/html/rfc8446#ref-SHS>].
      The length of the Salt MUST be equal to the length of the digest
      algorithm.  If the public key is carried in an X.509 certificate,
      it MUST use the RSASSA-PSS OID [RFC5756
<https://datatracker.ietf.org/doc/html/rfc5756>]. [...] The algorithm

      parameters MUST be DER encoded.  If the corresponding public key's

      parameters are present, then the parameters in the signature MUST

      be identical to those in the public key.


Some crypto libraries (e.g. mine) only support this exact form of PSS
signatures, both generating and verifying. I am not sure if the rationale
for TLS 1.3's strictness is given anywhere, but it underwent significant
discussion before the above strict form was agreed upon.

[1] https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3

Cheers,
Brian

v2.23.0 | Report a Bug | By Email