Re: [openpgp] RSA-PSS and RSA-OAEP for v5
Santiago Torres-Arias <santiago@archlinux.org> Mon, 01 March 2021 01:38 UTC
Return-Path: <santiago@archlinux.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BAE53A1243 for <openpgp@ietfa.amsl.com>; Sun, 28 Feb 2021 17:38:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.953
X-Spam-Level:
X-Spam-Status: No, score=0.953 tagged_above=-999 required=5 tests=[RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_SOFTFAIL=0.972, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rch3ZCVGCVR9 for <openpgp@ietfa.amsl.com>; Sun, 28 Feb 2021 17:38:47 -0800 (PST)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14DFC3A123F for <openpgp@ietf.org>; Sun, 28 Feb 2021 17:38:46 -0800 (PST)
Received: from fews1.riseup.net (fews1-pn.riseup.net [10.0.1.83]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4Dpjb96ZxTzDyP5; Sun, 28 Feb 2021 17:38:45 -0800 (PST)
X-Riseup-User-ID: FD1A444321C5B0B5CAEA86A6136EB4931C1366B5824DA086DFB4D02F9E219581
Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews1.riseup.net (Postfix) with ESMTPSA id 4Dpjb93xKvz5wVb; Sun, 28 Feb 2021 17:38:45 -0800 (PST)
Date: Sun, 28 Feb 2021 20:38:44 -0500
From: Santiago Torres-Arias <santiago@archlinux.org>
To: "brian m. carlson" <sandals@crustytoothpaste.net>
Cc: openpgp@ietf.org
Message-ID: <YDxFpD3xyZbYdRel@meme-cluster>
References: <YDrbaRiQ34MstP30@camp.crustytoothpaste.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="t8jyaA0xz475szGT"
Content-Disposition: inline
In-Reply-To: <YDrbaRiQ34MstP30@camp.crustytoothpaste.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/mh6iG2fGREglIlrasjcmSRZ333A>
Subject: Re: [openpgp] RSA-PSS and RSA-OAEP for v5
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 01:38:49 -0000
On Sat, Feb 27, 2021 at 11:53:13PM +0000, brian m. carlson wrote: > One of the persistent pieces of feedback about OpenPGP I've received > from folks involved in the security and cryptography fields is that the > PKCS v1.5 algorithms are obsolete. It is well known that many > cryptographic libraries have suffered (and will likely continue, despite > their best efforts, to suffer) from padding vulnerabilities. TLS has > recently added support for RSA-PSS and it's widely preferred over > PKCS1-v1.5. > > I'm interested in seeing if we can require v5 SKESK packets with RSA use > RSA-OAEP with SHA-256 and MGF1-SHA-256 and require that v5 signatures > with RSA use RSA-PSS, with the MGF using the same digest as the > signature. > > Hard-coding SHA-256 as the algorithm for RSA-OAEP means we don't need to > specify it as a parameter, and since it's the must-implement algorithm, > there's no reason an implementation won't support it. Folks that wish > to provide a better than 128-bit security level will use ECDH instead, > since RSA at the 192-bit level (7680 bit keys) is much slower and such > keys are not practically used. > > I realize this requires implementers to add additional code, but I think > the increase in security is worth it given the number of CVEs we've seen > for padding vulnerabilities. We can tell implementers to avoid this > vulnerability until we're blue in the face, but considering that both > OpenSSL and NSS had this problem, that doesn't seem prudent. To add to the conversation, I wanted to share some related bibliography[1]: "On the Security of the PKCS#1 v1.5 Signature Scheme" Tibor Jager, Paderborn Uninversity, Paderborn, Germany Saqib A Kakvi, Paderborn University, Paderborn, Germany Alexander May, Ruhr-University Bochum, Bochum, Germany The RSA PKCS#1 v1.5 signature algorithm is the most widely used digital signature scheme in practice. Its two main strengths are its extreme simplicity, which makes it very easy to implement, and that verification of signatures is significantly faster than for DSA or ECDSA. Despite the huge practical importance of RSA PKCS#1 v1.5 signatures, providing formal evidence for their security based on plausible cryptographic hardness assumptions has turned out to be very difficult. Therefore the most recent version of PKCS#1 (RFC 8017) even recommends a replacement the more complex and less efficient scheme RSA-PSS, as it is provably secure and therefore considered more robust. The main obstacle is that RSA PKCS#1 v1.5 signatures use a deterministic padding scheme, which makes standard proof techniques not applicable. We introduce a new technique that enables the first security proof for RSA-PKCS#1 v1.5 signatures. We prove full existential unforgeability against adaptive chosen-message attacks (EUF-CMA) under the standard RSA assumption. Furthermore, we give a tight proof under the Phi-Hiding assumption. These proofs are in the random oracle model and the parameters deviate slightly from the standard use, because we require a larger output length of the hash function. However, we also show how RSA-PKCS#1 v1.5 signatures can be instantiated in practice such that our security proofs apply. In order to draw a more complete picture of the precise security of RSA PKCS#1 v1.5 signatures, we also give security proofs in the standard model, but with respect to weaker attacker models (key-only attacks) and based on known complexity assumptions. The main conclusion of our work is that from a provable security perspective RSA PKCS#1 v1.5 can be safely used, if the output length of the hash function is chosen appropriately. Publication: CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, October 2018, Pages 1195–1208 Although I *personally think* that PSS is a better padding algorithm, I'm also rather cautious not to be as definitive when making calls. This paper shows two things: 1. It may take many decades to have a formal security proof (even if within the random oracle model) of a padding algorithm of this nature. 2. The argument that PSS is somewhat superior because of its "mathematically provable security" (i.e., the motivating point for PSS on RFC 4096) may not hold that strongly anymore. I agree that Bleichenbacher's Oracle is an issue within certain uses of PGP (being such a versatile tool almost always means that you will always find a use that raises security concerns :P), yet I also wonder if PKCSv1.5 also ended up having a series of CVE's because it has seen more field-usage throughout these decades. Not sure if I personally have a strong stance in any direction, just wanted to share my perspective... Cheers! -Santiago P.S. I'm also not entirely comfortable with hardcoding a hash algorithm for OAEP, but that's a different conversation and I may be missing context. [1] https://dl.acm.org/doi/10.1145/3243734.3243798 > -- > brian m. carlson (he/him or they/them) > Houston, Texas, US > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp
- [openpgp] RSA-PSS and RSA-OAEP for v5 brian m. carlson
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Peter Gutmann
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 brian m. carlson
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Hanno Böck
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Werner Koch
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 brian m. carlson
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Stephen Farrell
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 brian m. carlson
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Stephen Farrell
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Santiago Torres-Arias
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Hanno Böck
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Werner Koch
- Re: [openpgp] RSA-PSS and RSA-OAEP for v5 Peter Gutmann