Re: [CFRG] Updated RSA Guidance document

[John Mattsson <john.mattsson@ericsson.com>]

Hi Hubert,

Thanks for the great Marvin work!

Some comments on draft-kario-rsa-guidance-01

>11.  Deprecated Algorithms
>
>   Current protocols deployments MUST NOT use encryption with RSA PKCS
>   #1 v1.5 padding.  Support for RSA PKCS #1 v1.5 SHOULD be disabled in
>   default configuration of any implementation of RSA cryptosystem.  All
>   new protocols MUST NOT specify PKCS #1 v1.5 as a valid encryption
>   padding for RSA keys.

This text should use exact algorithm names from RFC 8017 such as
RSAES-PKCS1-v1_5. Currently unclear if "Support for RSA PKCS #1 v1.5"
includes RSASSA-PKCS1-v1_5.

>A.1.  2048 bit key
>
>   «provide test vectors here»

I do not think that a 2048 bit key example is appropriate in a new draft.

As summarized in [1]. Government organizations like NIST, ANSSI, BSI, and NSA have already produced recommendations regarding the deprecation algorithms with less than 128-bit security such as RSA with 2048 bit keys. NIST and ANSSI only allow RSA-2048 if the application data does not have to be protected after 2030. If the application data had a security life of ten years, NIST and ANSSI allowed use of RSA-2048 until December 31, 2020. BSI allowed use of RSA-2048 up to the year 2022. The Commercial National Security Algorithm Suite (CNSA) forbids the use of RSA-2048 since 2015.

[1] https://www.ietf.org/archive/id/draft-mattsson-tls-psk-ke-dont-dont-dont-05.html

>We thus provide guidance how to implement those algorithms in a way
>that should be secure against at least the simple timing side channel
>attacks.

Isn't it time to phase out RSA instead of continue to patch it? I see little reasons to use RSA in the future. If you want quantum-resistant public key encryption you use HPKE with ML-KEM(+ECC). If you are constrained you will continue to just use ECC.

Cheers,
John

From: CFRG <cfrg-bounces@irtf.org> on behalf of Stanislav V. Smyshlyaev <smyshsv@gmail.com>
Date: Thursday, 19 October 2023 at 10:15
To: Hubert Kario <hkario@redhat.com>
Cc: cfrg@irtf.org <cfrg@irtf.org>
Subject: Re: [CFRG] Updated RSA Guidance document
>> So, I think a longer slot may be warranted,
Thank you, we'll decide later, when we have all requests for presenting at the meeting.

Regards,
Stanislav (for CFRG chairs)

On Thu, Oct 19, 2023 at 11:11 AM Hubert Kario <hkario@redhat.com<mailto:hkario@redhat.com>> wrote:
On Wednesday, 18 October 2023 20:13:17 CEST, Stanislav V. Smyshlyaev wrote:
> Hi Hubert,
>
>>> I'd like to bring it to discussion for CFRG adoption during IETF 118.
>
> Do you need a 5+5 or a 10+5 slot on the agenda for this?

I don't think I'll need to convince anybody that PKCS#1 v1.5 is a bad idea.

I might need some time to present information that there is no such thing
as a side channel too small to be detectable over the network.

The idea of implicit rejection for RSA might need a bit of an explanation
too.

So, I think a longer slot may be warranted, but I don't have a good idea
how much I can assume of the CFRG audience.

> Regards,
> Stanislav
>
> On Wed, 18 Oct 2023 at 20:37, Hubert Kario <hkario@redhat.com<mailto:hkario@redhat.com>> wrote:
> I've published a second draft of the Implementation Guidance document at
> https://datatracker.ietf.org/doc/draft-kario-rsa-guidance/
>
> I'd like to bring it to discussion for CFRG adoption during IETF 118.
>
> Draft -01 now includes description of base blinding, exponent blinding,
> some
> references, and also high level description of the implicit rejection
> in PKCS#1 v1.5 depadding code.
>

--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com<http://www.cz.redhat.com>
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic