[saag] RSA-PSS

Russ Housley <housley@vigilsec.com> Wed, 04 December 2013 11:05 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 4A0EA1AE232 for <saag@ietfa.amsl.com>; Wed, 4 Dec 2013 03:05:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id c6OJ9oxJP7-i for <saag@ietfa.amsl.com>; Wed, 4 Dec 2013 03:05:44 -0800 (PST)
Received: from odin.smetech.net (mail.smetech.net []) by ietfa.amsl.com (Postfix) with ESMTP id 4B14D1AE222 for <saag@ietf.org>; Wed, 4 Dec 2013 03:05:44 -0800 (PST)
Received: from localhost (unknown []) by odin.smetech.net (Postfix) with ESMTP id B8BB2F24092 for <saag@ietf.org>; Wed, 4 Dec 2013 06:05:31 -0500 (EST)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([]) by localhost (ronin.smeinc.net []) (amavisd-new, port 10024) with ESMTP id dRazMQ0A948S for <saag@ietf.org>; Wed, 4 Dec 2013 06:05:09 -0500 (EST)
Received: from v150.vpn.iad.rg.net (v150.vpn.iad.rg.net []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 4880EF24085 for <saag@ietf.org>; Wed, 4 Dec 2013 06:05:10 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Wed, 4 Dec 2013 06:04:57 -0500
Message-Id: <F56DAA5B-C531-4FD9-A287-953D30C55315@vigilsec.com>
To: IETF SAAG <saag@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1085)
X-Mailer: Apple Mail (2.1085)
Subject: [saag] RSA-PSS
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2013 11:05:46 -0000

We have known for a very long time that PKCS #1 Version 1.5 (see RFC 2313) signature is more fragile than we might like.  PKCS #1 Version 1.5 signatures were developed in an ad hoc manner; RSASSA-PSS as specified in PKCS #1 Version 2.1 (see RFC 3447) was developed based on mathematical foundations.

I am aware of two attacks against PKCS #1 Version 1.5 implementations:

First, the Bleichenbacher attack against implementations.  In this attack, implementations do not calculate the length of the padding, but rather scan the 0xff at the beginning until they find a 0x00 byte.  Also, a small RSA exponent (for example e=3).

Second, fault-based attacks described by Boneh and others.  By injecting random faults into the RSA calculations, the attacker is able to regenerate the private key from the knowledge of faulty signatures.

RSA-PSS offers significant improvement against both of these attacks.

We have seen very little movement toward RSA-PSS.  While we are reviewing algorithm choices in light of the pervasive surveillance situation, I think we should take the time to consider improvements in our algorithm choices.