Re: [DNSOP] New Version Notification for draft-muks-dnsop-dnssec-sha3-01

Mukund Sivaraman <> Mon, 08 May 2017 17:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 083E0129516 for <>; Mon, 8 May 2017 10:16:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.465
X-Spam-Level: *
X-Spam-Status: No, score=1.465 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id E6T5tRE7nIYH for <>; Mon, 8 May 2017 10:16:05 -0700 (PDT)
Received: from ( [IPv6:2a01:4f8:140:644b::225]) by (Postfix) with ESMTP id 7CA7E1200F1 for <>; Mon, 8 May 2017 10:16:05 -0700 (PDT)
Received: from jurassic (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 30F2156A00EC; Mon, 8 May 2017 17:16:01 +0000 (GMT)
Date: Mon, 08 May 2017 22:45:57 +0530
From: Mukund Sivaraman <>
To: Paul Wouters <>
Cc: Olafur Gudmundsson <>, IETF DNSOP WG <>
Message-ID: <20170508171557.GA17895@jurassic>
References: <20170410093847.GA21654@jurassic> <> <20170410150917.GA22210@jurassic> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.8.0 (2017-02-23)
Archived-At: <>
Subject: Re: [DNSOP] New Version Notification for draft-muks-dnsop-dnssec-sha3-01
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 May 2017 17:16:07 -0000

Hi Paul

On Mon, May 08, 2017 at 12:46:21PM -0400, Paul Wouters wrote:
> Not only that, but the reason specified is to bump RSA from
> RSASSA-PKCS1-v1_5 to RSASSA-PSS. As far as I know, the security
> issues of RSASSA-PKCS1-v1_5 are that when using it to _encrypt_
> bogus data, it can be used as an oracle to obtain private key
> bits. That means there is no on-the-wire security issue with
> RSASSA-PKCS1-v1_5 for Digital Signatures. And if HSMs are used
> to protect access to private keys, those keys should be marked
> as "signing only keys" to avoid exposing the private key via this
> attack if the machine with the HSM is compromised.

It isn't that the RSASSA-PKCS1-v1_5 signature scheme is currently
broken. Revision 00 of the draft had used the RSASSA-PKCS1-v1_5 scheme
to make it easier for implementations, and so I was defending it among
colleagues at first.

However, RSASSA-PSS is a more robust signature scheme with a more exact
proof of security. We evaluated our choice and switched to that for use
with SHA-3 in revision 01 after it was pointed out on this list.

See "The Exact Security of Digital Signatures - How to Sign with RSA and
Rabin", Bellare and Rogaway for why it is an improvement (vs. FDH).

One nusiance of PSS is that it uses entropy during signing (a salt value
per signature) that may make it inconvenient for signing in environments
without an entropy source. However it is possible to to create
signatures with a non-random salt (so it was made a "SHOULD" in the
draft) with equivalent security to FDH. With the random salt, it is a
far more robust scheme for RSA signatures.

RSASSA-PKCS1-v1_5 is no longer allowed for new application due to its
lack of exact security.

I'll reply to the other comments soon.