IETF Logo Mail Archive

Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures

Brian Smith <brian@briansmith.org> Fri, 28 May 2021 18:15 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68DF63A307E for <cfrg@ietfa.amsl.com>; Fri, 28 May 2021 11:15:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRb429xNw9jE for <cfrg@ietfa.amsl.com>; Fri, 28 May 2021 11:15:11 -0700 (PDT)
Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFE2C3A307C for <cfrg@irtf.org>; Fri, 28 May 2021 11:15:10 -0700 (PDT)
Received: by mail-pj1-x102a.google.com with SMTP id g24so3016814pji.4 for <cfrg@irtf.org>; Fri, 28 May 2021 11:15:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=erNGjibZv6grj1Stf+egjiaieAS37ddubmPa+Dqkobs=; b=rC0txy3FIe34/eylJlCepiPnJrgJlC9nbboMF37rpZu7Fyw2JTM0HHfFPhg+idm+kA T5bdmpGWrKtSsvVxkUtQk+oalD2yqQIduB9raZWR7qxqfrCxNqkVt91HVzIySokz5ZOw DKKxSo+HglHT42dpU+sjxqrbC1/Aql4n071oSQlgWrMdUTuP0bM5WvPvMY+/iQH5OV0k uTff9ffe9MptZTFMr1x42fvDvfovAY9/sBFIG3Uu5dY7ue6W+QGc4WMbrnJ5vh8Xbqju wDXFQWp/TQBvYSkSjr9zEhdgFLfcbqCAk1abHmdKe9ey60HcaTqOa1oT3piuX6WQ8QGm caag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=erNGjibZv6grj1Stf+egjiaieAS37ddubmPa+Dqkobs=; b=pMP5Wk3+D1iJbP2d7Of/iPlmj7lV8m3T6rFfpS5FPnczuAWzrjYBsAutBtFGlBlsLq V3h4jpnIS0kFKRXZixgRb0zVLE3KLtoURbUSEzbmpmGbGF0OqsFqhXSpraYZjybn7fHk hTthm3APui9trFBPsc1+pnJupJd7eNa+9y+pXDyYoOSqD13Ppg6FaofMu/OLNoIvbfC7 gosYoXzSwnSap69aOLOcxA4W+euKNMHO/bTXnSAAPshgbiwmEcs5fUrkLeypYCeOEfmX QMP7z7TNJLTvi1+Nvzn+BOzXsjLqlOQFskqmJRfQM8Y6zaPl/yx3wzDtcCsdNALi0E9X s4bA==
X-Gm-Message-State: AOAM5335SUzW33HPsF3H8tZ70cw1VCeNC2+VN1qO7njGquKO/PE/pQIz tObiI/Rpg2Vvk539TB7BfOU4FV332aVJ58g1aPcWuw==
X-Google-Smtp-Source: ABdhPJxPlOYIKs3d4haG/o3LYwxinydyNXUqlwY5UK6aNnFWsuUE+0VZ3AllmXo+Q9kipwQJugiEjqC2T7q7UhE9fqw=
X-Received: by 2002:a17:90a:4d01:: with SMTP id c1mr5799446pjg.143.1622225709896; Fri, 28 May 2021 11:15:09 -0700 (PDT)
MIME-Version: 1.0
References: <1EED8807-C5C5-461F-BE60-34C44791849E@mit.edu> <1BF68544-CB14-4A60-88BB-4E80E2D9A094@vigilsec.com> <CAFewVt54d6NGEYOX6Tx=gMf+p9NqTVkb9VkRxr+VZL5eDSmhmA@mail.gmail.com> <20210527232354.GY32395@kduck.mit.edu> <67015DB5-A45F-41C7-A236-C54DEB30DD8F@akamai.com>
In-Reply-To: <67015DB5-A45F-41C7-A236-C54DEB30DD8F@akamai.com>
From: Brian Smith <brian@briansmith.org>
Date: Fri, 28 May 2021 11:15:00 -0700
Message-ID: <CAFewVt4EtJG+kJgiWVtdZznDOubsu1POUoVmzht-DecxjxDemw@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, IRTF CFRG <cfrg@irtf.org>, Russ Housley <housley@vigilsec.com>, Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="0000000000002f2fab05c367dbc2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/tXmV8btsASyFNrqzzDoMXcgA6KI>
Subject: Re: [CFRG] RSA PSS Salt Length for HTTP Message Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 May 2021 18:15:15 -0000

Salz, Rich <rsalz@akamai.com> wrote:

> Perhaps reconsider PSS.
> https://www.metzdowd.com/pipermail/cryptography/2019-November/035449.html
> is excellent reading.
>

I agree with most of the concerns in that document but it's too one-sided
against PSS. A lot of the noted concerns are addressed by following the
advice at the very end, by only using PSS with fixed parameters like TLS
1.3 does.

Note also that RFC 4055 says "For similar reasons, one RSA key pair
should always
be used with the same RSASSA-PSS parameters (except possibly for the salt
length)." The easiest way to follow that advice is to fix all the
parameters in the protocol.

Cheers,
Brian

v2.23.0 | Report a Bug | By Email