Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures

Martin Thomson <mt@lowentropy.net> Fri, 28 May 2021 00:22 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A89A3A05AC for <cfrg@ietfa.amsl.com>; Thu, 27 May 2021 17:22:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=JqKmwljG; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=PbMLkL3T
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8I8YC3Q3RIEB for <cfrg@ietfa.amsl.com>; Thu, 27 May 2021 17:22:00 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D5BB3A006A for <cfrg@irtf.org>; Thu, 27 May 2021 17:22:00 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 96CBA1653 for <cfrg@irtf.org>; Thu, 27 May 2021 20:21:54 -0400 (EDT)
Received: from imap10 ([10.202.2.60]) by compute4.internal (MEProxy); Thu, 27 May 2021 20:21:54 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=WeiVG9ozwQPa56Qw5t03AZSNGvrdPR/ tkBXDTVEPEgk=; b=JqKmwljGuVi4Oq276sQqSvUDWxkglXk3yfm8AyP3BhpCmdq dZc3/kf2LaJ9FDZ7Vn9aMxkQkVPTn2/khTUL0aIpEeXrwcZmjoaxhFN3VEnDXc7r vRk4S5LC7axtlVwvA2ZT0yUXJ3YkUWSoeJsWxCTGrU9khKzTsLdO5H3Pd1sc99G7 Ygo4nE5eydYyWChZ4QpeUtyxYRLJjngr0PUQbjFjwSfJFW2ZeBTYb7EhYgrekW3t FRtnqIq2jTzOimbgJGlb9sdzFgaQY7hHovR39ucpLymBYkPiGfcFIRqXkRVSClMi eJ1Z2QIt8Hzy7cRaD7t0KQ7va2tHlGGtCz+XqoQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=WeiVG9 ozwQPa56Qw5t03AZSNGvrdPR/tkBXDTVEPEgk=; b=PbMLkL3TE1B4dTSPoWcv4A J18C2RJZG/9dRN5tBuqousDlNXS/Xd3Qo7tiSe50F8Dczeu1FQLqFdBHep8zj4In 9DzPfaAc0SzYHPKQM5uv0jOPoIcBSxtDZ+2ln8BrN5UxwRBK0kHRSBWdvZKm7XTu uW0JndFZ57jJjVB1L8j+7TAncI5a4W6nv5YimwSprRu7emeJAOHJvsd3ScKSPRc7 vDCVw8syGK8xeeAfzHlJRPvkP8PduNA5pX6VON5djaTc/h9YbmdrebPYXLPzoN9w ppe5iSAkMNUqUuo1ogb43Ppc997ra7jL8sgQuOtNUNjFM8cNkcdnv5TzaCcjWSPA ==
X-ME-Sender: <xms:oTewYBQgIREdwwG1whiIjkk51cyjbSVP7wKDLgVrsDOjCGU9lsPUeA> <xme:oTewYKy8UkDsCWtOiVSjRzllzacHQqlbq2o0Z0b04nbVXwb7EBAdoQW_RWtza2c9n kpWGMe3WV2pXrTpK10>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdekiedgfeduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeelheejleffteetvedthe egtddtheffgffhtdduleelleetfeetkefffffhuedvvdenucffohhmrghinhepihgvthhf rdhorhhgpdhirhhtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh epmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:oTewYG01rcZYU8Kuz0kEMFORE4j2TGRtxhTmjg83sJ7NXERUNWtFaQ> <xmx:oTewYJAZH0FVGGfACi8bgffwt_wsRrxwIF9fOp467kn1trT0Bwbz5w> <xmx:oTewYKgGOVjTI3usCxxzoe3MjtuPgwLxlf5AzuZwktegD6rLGTQygw> <xmx:ojewYFv5ZWNAviUtktCX6QCAbv0UXEC8o9ermi1jOBm1cBj7ias7FQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 90AAE4E0099; Thu, 27 May 2021 20:21:53 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-468-gdb53729b73-fm-20210517.001-gdb53729b
Mime-Version: 1.0
Message-Id: <17fdb9d0-0035-4ad6-84ea-e5e2bda798da@www.fastmail.com>
In-Reply-To: <20210527232354.GY32395@kduck.mit.edu>
References: <1EED8807-C5C5-461F-BE60-34C44791849E@mit.edu> <1BF68544-CB14-4A60-88BB-4E80E2D9A094@vigilsec.com> <CAFewVt54d6NGEYOX6Tx=gMf+p9NqTVkb9VkRxr+VZL5eDSmhmA@mail.gmail.com> <20210527232354.GY32395@kduck.mit.edu>
Date: Fri, 28 May 2021 10:21:35 +1000
From: Martin Thomson <mt@lowentropy.net>
To: cfrg@irtf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/sWbRsGgrOyd1Os-9Pj902wGoc-8>
Subject: Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 May 2021 00:22:06 -0000

To add to what Brian and Ben said (listen to their advice), the CA/Browser Forum have also adopted a very narrow profile of PSS if you need further support for this view.

(BTW, I would would change a tiny thing in the TLS text: "the length of the digest algorithm" is generally understood to be the "natural" size of the algorithm's output.  If you look at SHA-2, it's not the block size, which is one measure of the "length" of the digest.  For SHA-2 it's 224, 256, 384, or 512 bits as appropriate.  And with the digest potentially being an XOF, like SHAKE, you have to be careful to avoid saying "output length" as that concept is not always directly applicable to an XOF.)

On Fri, May 28, 2021, at 09:23, Benjamin Kaduk wrote:
> On Thu, May 27, 2021 at 04:15:32PM -0700, Brian Smith wrote:
> > Russ Housley <housley@vigilsec.com> wrote:
> > 
> > > RFC 4055 has this recommendation:
> > >
> > >          The saltLength field is the octet length of the salt.  For a
> > >          given hashAlgorithm, the recommended value of saltLength is the
> > >          number of octets in the hash value.
> > >
> > 
> > I recommend that you follow the example of TLS 1.3 [1], which is compatible
> > with that recommendation in RFC 4055:
> > 
> >       RSASSA-PSS [RFC8017
> > <https://datatracker.ietf.org/doc/html/rfc8017>] with mask generation
> > function 1.  The digest
> >       used in the mask generation function and the digest being signed
> >       are both the corresponding hash algorithm as defined in [SHS
> > <https://datatracker.ietf.org/doc/html/rfc8446#ref-SHS>].
> >       The length of the Salt MUST be equal to the length of the digest
> >       algorithm.  If the public key is carried in an X.509 certificate,
> >       it MUST use the RSASSA-PSS OID [RFC5756
> > <https://datatracker.ietf.org/doc/html/rfc5756>]. [...] The algorithm
> > 
> >       parameters MUST be DER encoded.  If the corresponding public key's
> > 
> >       parameters are present, then the parameters in the signature MUST
> > 
> >       be identical to those in the public key.
> > 
> > 
> > Some crypto libraries (e.g. mine) only support this exact form of PSS
> > signatures, both generating and verifying. I am not sure if the rationale
> > for TLS 1.3's strictness is given anywhere, but it underwent significant
> > discussion before the above strict form was agreed upon.
> > 
> > [1] https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3
> 
> The sentiment that comes through in the TLS list archives is that PSS has a
> lot of parameters and that means places for implementations to mess up if
> they're allowed to vary freely.  If you nail down as part of the protocol
> that there is only one way to do things, correct (and testable)
> implementation is much easier.
> 
> -Ben
> 
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>