[openpgp] RSA-PSS and RSA-OAEP for v5
"brian m. carlson" <sandals@crustytoothpaste.net> Sat, 27 February 2021 23:53 UTC
Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5700A3A13F5 for <openpgp@ietfa.amsl.com>; Sat, 27 Feb 2021 15:53:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TQEiRxTaa9yq for <openpgp@ietfa.amsl.com>; Sat, 27 Feb 2021 15:53:50 -0800 (PST)
Received: from injection.crustytoothpaste.net (injection.crustytoothpaste.net [192.241.140.119]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AA3C3A163E for <openpgp@ietf.org>; Sat, 27 Feb 2021 15:53:49 -0800 (PST)
Received: from camp.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:7d4e:cde:7c41:71c2]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by injection.crustytoothpaste.net (Postfix) with ESMTPSA id A77EF60DF4 for <openpgp@ietf.org>; Sat, 27 Feb 2021 23:53:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1614469998; bh=48GlTNtYdKcZpi7GrZeTNN/gt7x4E2DAtfwqRAXhrGo=; h=Date:From:To:Subject:Content-Type:Content-Disposition:From: Reply-To:Subject:Date:To:CC:Resent-Date:Resent-From:Resent-To: Resent-Cc:In-Reply-To:References:Content-Type:Content-Disposition; b=YPiS4ngzvcHe8QIRtzZMl54a7tZMVOIqdi2INUGy78v9JG4vy7+DgSH2K9BZTti6+ 6/J+Xgx2Pms7mHFn4W+FtGcAvco+VVaxbHHi391fMRiGtg9rZVgUVeNkBLq/O6IBse R4kAYr9r3sCJiC5bSyhkFgxbCXBSfS8Xpp3Ruv1i0vqcbVSa1rxZaDT4r18QnvCJiU obKtv06KxXEBGhthIPRjuj3W9LrvjLZs5dLUVHXCbUe5O/Tb39Vf9pbW6yTVWr3+Md s7FDBBiWbuuodi+jskuY1ngHHGRTnzm2bbX0ErT+pJEJkE9L0AzIk1hxwo00ssPyio o3KOlYlf7ByJ/I80KcRU2yGcDXQ820lNfPmNsfhs/w33TjiMYsrMmOGJqMIpAuBEWW tlfY64cd7xVMAJGPoKDN5fpW/zxbte0NCgxyazgP9XtKhR4wLfGe5kPYmbIwf+8SY4 GX1KnsrcXCGgqu5h5a1EYSLwExnjx1JAbQ08wXdm46fchrESPjE
Date: Sat, 27 Feb 2021 23:53:13 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: openpgp@ietf.org
Message-ID: <YDrbaRiQ34MstP30@camp.crustytoothpaste.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="SA+EAYHmFm18rgmo"
Content-Disposition: inline
User-Agent: Mutt/2.0.5 (2021-01-21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/NNbClufoHSmEZsy7A7N-NSywNG8>
Subject: [openpgp] RSA-PSS and RSA-OAEP for v5
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Feb 2021 23:53:53 -0000
One of the persistent pieces of feedback about OpenPGP I've received from folks involved in the security and cryptography fields is that the PKCS v1.5 algorithms are obsolete. It is well known that many cryptographic libraries have suffered (and will likely continue, despite their best efforts, to suffer) from padding vulnerabilities. TLS has recently added support for RSA-PSS and it's widely preferred over PKCS1-v1.5. I'm interested in seeing if we can require v5 SKESK packets with RSA use RSA-OAEP with SHA-256 and MGF1-SHA-256 and require that v5 signatures with RSA use RSA-PSS, with the MGF using the same digest as the signature. Hard-coding SHA-256 as the algorithm for RSA-OAEP means we don't need to specify it as a parameter, and since it's the must-implement algorithm, there's no reason an implementation won't support it. Folks that wish to provide a better than 128-bit security level will use ECDH instead, since RSA at the 192-bit level (7680 bit keys) is much slower and such keys are not practically used. I realize this requires implementers to add additional code, but I think the increase in security is worth it given the number of CVEs we've seen for padding vulnerabilities. We can tell implementers to avoid this vulnerability until we're blue in the face, but considering that both OpenSSL and NSS had this problem, that doesn't seem prudent. -- brian m. carlson (he/him or they/them) Houston, Texas, US
- [openpgp] RSA-PSS and RSA-OAEP for v5 brian m. carlson
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Peter Gutmann
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 brian m. carlson
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Hanno Böck
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Werner Koch
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 brian m. carlson
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Stephen Farrell
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 brian m. carlson
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Stephen Farrell
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Santiago Torres-Arias
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Hanno Böck
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Werner Koch
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Peter Gutmann