Re: [Cfrg] Reference for hash substitution attack against RSASSA-PSS and its mitigation

Mike Jones <Michael.Jones@microsoft.com> Mon, 05 June 2017 06:05 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ACBD126D85 for <cfrg@ietfa.amsl.com>; Sun, 4 Jun 2017 23:05:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g2sjsPm2J2Ag for <cfrg@ietfa.amsl.com>; Sun, 4 Jun 2017 23:05:40 -0700 (PDT)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0131.outbound.protection.outlook.com [104.47.42.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0058D12751F for <cfrg@irtf.org>; Sun, 4 Jun 2017 23:05:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=13ItYYFYd+L/JkvFCEO0VQVntSXaFExoXwq9Lqgmxlc=; b=WVREffygJtmfjlYPSMLbbBc5dY6tkK2rrwIUNNK1DZsyrNYWdEwuzaRJ0OE1MSt5js6xbbrENdOTJ0fAJFPGggADhvkKakLHMJtO1odNfhSgObP8rRqdZvKP68HeG7CTraPuUXOHCOsp4z4BEUvmcRqSTSn5iz7CUAZ0HccgZi4=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0694.namprd21.prod.outlook.com (10.175.121.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1178.0; Mon, 5 Jun 2017 06:05:38 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1178.000; Mon, 5 Jun 2017 06:05:38 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>, "cfrg@irtf.org" <cfrg@irtf.org>
CC: Steve KENT <steve.kent@raytheon.com>
Thread-Topic: [Cfrg] Reference for hash substitution attack against RSASSA-PSS and its mitigation
Thread-Index: AQHS3WjG4Nl2YzYgAEC1Bs76jiQZZKIVx61Q
Date: Mon, 5 Jun 2017 06:05:38 +0000
Message-ID: <CY4PR21MB0504B5B60E6DDBC77C5443B6F5CA0@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <D55A1D7D.94F54%kenny.paterson@rhul.ac.uk>
In-Reply-To: <D55A1D7D.94F54%kenny.paterson@rhul.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetBy=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-06-04T23:05:36.4802505-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
authentication-results: rhul.ac.uk; dkim=none (message not signed) header.d=none;rhul.ac.uk; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.93.167]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0694; 7:qDt+S7uKfnEI+tIW13CzXgzk7m7TNXgl2Vg3MSWuYvnH7MN0bOIytmdhb5DVQBH0LUzF+QcgAEGrMH4kv0mD2ICmKE8umZzI5aUE48zR5hkpYf17yK0kpSwytAlec0e3WQS3GUVsHgyefp0Hox40e3s4/EChi3V13Q5FPTbvCYPlE3vAeQe5gV5DluzTSUc+M044U1XNcKyphkE4XNFoezzLmUu0+f1Gu9w8NkYLIc5JRhPuKj4fYn3Tx+L9lL3KulYv1tfnOpNF1uFoWgg7bKOn6TCRBS4dCvbsyXznBrxSb7uK3isIjpmo4hvjBeCV9APM8RL+Fz6Bnj8++zo/6krx8NL9gze845P9qGzfvWQ=
x-ms-office365-filtering-correlation-id: fef09226-9c1b-4526-2f4c-08d4abd8e381
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081)(201702281549075); SRVR:CY4PR21MB0694;
x-ms-traffictypediagnostic: CY4PR21MB0694:
x-microsoft-antispam-prvs: <CY4PR21MB06947DD5DB24C55080908551F5CA0@CY4PR21MB0694.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(61425038)(6040450)(601004)(2401047)(5005006)(8121501046)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123555025)(20161123564025)(20161123558100)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR21MB0694; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR21MB0694;
x-forefront-prvs: 0329B15C8A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39850400002)(39410400002)(39400400002)(39840400002)(39860400002)(39450400003)(377454003)(24454002)(13464003)(229853002)(33656002)(2900100001)(76176999)(54356999)(50986999)(6506006)(8676002)(77096006)(6436002)(236005)(9686003)(189998001)(54896002)(6306002)(99286003)(55016002)(8656002)(86362001)(81166006)(5660300001)(66066001)(5005710100001)(10090500001)(122556002)(8936002)(10290500003)(478600001)(74316002)(7736002)(3660700001)(72206003)(14454004)(2906002)(3280700002)(2950100002)(38730400002)(53546009)(25786009)(4326008)(3846002)(6116002)(790700001)(102836003)(7696004)(53936002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0694; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0504B5B60E6DDBC77C5443B6F5CA0CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jun 2017 06:05:38.1620 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0694
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/tYzmbigkIj1QDCiMfSUbaKc5eHc>
Subject: Re: [Cfrg] Reference for hash substitution attack against RSASSA-PSS and its mitigation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jun 2017 06:05:42 -0000

This text was written for Security Considerations about using RSASSA-PSS:



There is a theoretical hash substitution attack that can be mounted against RSASSA-PSS. However, the requirement that the same hash function be used consistently for all operations is an effective mitigation against it. Unlike ECDSA, hash function outputs are not truncated so that the full hash value is always signed. The internal padding structure of RSASSA-PSS means that one needs to have multiple collisions between the two hash functions to be successful in producing a forgery based on changing the hash function. This is highly unlikely.



If there’s a suitable reference to these attacks, that would be great.  Or if even saying this is misguided or out of place, that would be useful to know too.



                                                       Thanks,

                                                       -- Mike



-----Original Message-----
From: Paterson, Kenny [mailto:Kenny.Paterson@rhul.ac.uk]
Sent: Sunday, June 4, 2017 12:29 PM
To: Mike Jones <Michael.Jones@microsoft.com>om>; cfrg@irtf.org
Cc: Steve KENT <steve.kent@raytheon.com>
Subject: Re: [Cfrg] Reference for hash substitution attack against RSASSA-PSS and its mitigation



Hi Mike,



I'm not sure what attacks you're referring to here, so could you briefly summarise them for me? That might help me and others figure out if there's a suitable research paper to point you towards.



Thanks,



Kenny



On 02/06/2017 21:06, "Cfrg on behalf of Mike Jones" <cfrg-bounces@irtf.org on behalf of Michael.Jones@microsoft.com<mailto:cfrg-bounces@irtf.org%20on%20behalf%20of%20Michael.Jones@microsoft.com>> wrote:



>Is there a paper that describes the theoretical hash substitution

>attacks against RSASSA-PSS and how they are mitigated?

>

>                                                                Thanks,

>                                                                -- Mike

>

>