Re: [DNSOP] New Version Notification for draft-muks-dnsop-dnssec-sha3-01
Mukund Sivaraman <muks@isc.org> Mon, 08 May 2017 17:16 UTC
Return-Path: <muks@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 083E0129516 for <dnsop@ietfa.amsl.com>; Mon, 8 May 2017 10:16:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.465
X-Spam-Level: *
X-Spam-Status: No, score=1.465 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E6T5tRE7nIYH for <dnsop@ietfa.amsl.com>; Mon, 8 May 2017 10:16:05 -0700 (PDT)
Received: from mail.banu.com (mail.banu.com [IPv6:2a01:4f8:140:644b::225]) by ietfa.amsl.com (Postfix) with ESMTP id 7CA7E1200F1 for <dnsop@ietf.org>; Mon, 8 May 2017 10:16:05 -0700 (PDT)
Received: from jurassic (unknown [115.118.70.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 30F2156A00EC; Mon, 8 May 2017 17:16:01 +0000 (GMT)
Date: Mon, 08 May 2017 22:45:57 +0530
From: Mukund Sivaraman <muks@isc.org>
To: Paul Wouters <paul@nohats.ca>
Cc: Olafur Gudmundsson <ogud@ogud.com>, IETF DNSOP WG <dnsop@ietf.org>
Message-ID: <20170508171557.GA17895@jurassic>
References: <20170410093847.GA21654@jurassic> <CA+nkc8AebVmM46FQ3hzcz9OkNEMvBu6EcSHF-L=hp9qobS8UHQ@mail.gmail.com> <20170410150917.GA22210@jurassic> <36190869-0215-4BA9-AF9E-297CA4035849@ogud.com> <alpine.LRH.2.20.999.1705081236110.14424@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LRH.2.20.999.1705081236110.14424@bofh.nohats.ca>
User-Agent: Mutt/1.8.0 (2017-02-23)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6KxwUFPD6tt0ALeGCfrbf72q76c>
Subject: Re: [DNSOP] New Version Notification for draft-muks-dnsop-dnssec-sha3-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 May 2017 17:16:07 -0000
Hi Paul On Mon, May 08, 2017 at 12:46:21PM -0400, Paul Wouters wrote: > Not only that, but the reason specified is to bump RSA from > RSASSA-PKCS1-v1_5 to RSASSA-PSS. As far as I know, the security > issues of RSASSA-PKCS1-v1_5 are that when using it to _encrypt_ > bogus data, it can be used as an oracle to obtain private key > bits. That means there is no on-the-wire security issue with > RSASSA-PKCS1-v1_5 for Digital Signatures. And if HSMs are used > to protect access to private keys, those keys should be marked > as "signing only keys" to avoid exposing the private key via this > attack if the machine with the HSM is compromised. It isn't that the RSASSA-PKCS1-v1_5 signature scheme is currently broken. Revision 00 of the draft had used the RSASSA-PKCS1-v1_5 scheme to make it easier for implementations, and so I was defending it among colleagues at first. However, RSASSA-PSS is a more robust signature scheme with a more exact proof of security. We evaluated our choice and switched to that for use with SHA-3 in revision 01 after it was pointed out on this list. See "The Exact Security of Digital Signatures - How to Sign with RSA and Rabin", Bellare and Rogaway for why it is an improvement (vs. FDH). http://web.cs.ucdavis.edu/~rogaway/papers/exact.pdf One nusiance of PSS is that it uses entropy during signing (a salt value per signature) that may make it inconvenient for signing in environments without an entropy source. However it is possible to to create signatures with a non-random salt (so it was made a "SHOULD" in the draft) with equivalent security to FDH. With the random salt, it is a far more robust scheme for RSA signatures. RSASSA-PKCS1-v1_5 is no longer allowed for new application due to its lack of exact security. I'll reply to the other comments soon. Mukund
- [DNSOP] Fwd: New Version Notification for draft-m… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Bob Harold
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-mu… Russ Housley
- Re: [DNSOP] New Version Notification for draft-mu… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Russ Housley
- Re: [DNSOP] New Version Notification for draft-mu… Petr Špaček