Re: [TLS] Universal PSKs

Ilari Liusvaara <> Fri, 15 June 2018 15:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C2DC6130DC0 for <>; Fri, 15 Jun 2018 08:19:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xUCr08ZM8cQf for <>; Fri, 15 Jun 2018 08:19:27 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1CB9C130E2C for <>; Fri, 15 Jun 2018 08:19:26 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1A573548B9; Fri, 15 Jun 2018 18:19:25 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([IPv6:::ffff:]) by localhost ( [::ffff:]) (amavisd-new, port 10024) with ESMTP id bDW7n2_Js4Di; Fri, 15 Jun 2018 18:19:24 +0300 (EEST)
Received: from LK-Perkele-VII ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 3FFD373; Fri, 15 Jun 2018 18:19:21 +0300 (EEST)
Date: Fri, 15 Jun 2018 18:19:20 +0300
From: Ilari Liusvaara <>
To: David Benjamin <>
Cc: Nikos Mavrogiannopoulos <>, "<>" <>
Message-ID: <20180615151920.GA18406@LK-Perkele-VII>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.10.0 (2018-05-17)
Archived-At: <>
Subject: Re: [TLS] Universal PSKs
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Jun 2018 15:19:30 -0000

On Fri, Jun 15, 2018 at 10:56:48AM -0400, David Benjamin wrote:
> On Fri, Jun 15, 2018 at 7:37 AM Nikos Mavrogiannopoulos <>
> wrote:
> I think it's a little more complex than that. Keys used in multiple ways
> are affected by interactions between those uses, so formal analysis tends
> to want to exclude these cases. So, yes, ideally we would separate every
> key everywhere. But, as Hubert notes elsewhere in the thread, we wish for
> the TLS 1.3 upgrade to be as smooth as possible, which includes being able
> to reuse any externally-provisioned keys (RSA, symmetric, or whatever).
> These two desires are in tension.
> For stuff like RSA, we don't have easy ways around this. If you have an
> id-rsaEncryption key---which is common---that's what you've got. So the RFC
> 4055 and TLS 1.3, for practicality's sake, allow this.

I once calculated that it is extremely unlikely that there exists _any_
RSA plaintext that is valid signature (for possibly different messages)
as both RSA PKCS#1 v1.5 and RSA-PSS.

This is regardless of if such plaintext would be feasible to find or if
it was feasible to find one or both of the messages it signs.

However, straight out collision might not be realistic model of this. But
on the other hand, with hashes collision resistance of both hashes does not
imply one can not feasbily find cross-collisions or even cross-second-