Re: [TLS] RSA-PSS in TLS 1.3

Hanno Böck <hanno@hboeck.de> Fri, 04 March 2016 13:55 UTC

Date: Fri, 04 Mar 2016 14:55:25 +0100
From: Hanno Böck <hanno@hboeck.de>
To: mrex@sap.com
Message-ID: <20160304145525.1fe5cb63@pc1>
In-Reply-To: <20160304134513.EED9E1A45C@ld9781.wdf.sap.corp>
References: <20160229190021.59516808@pc1> <20160304134513.EED9E1A45C@ld9781.wdf.sap.corp>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-12399-1457099723-0001-2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/6xbpcoynZBmvLK2Y3Mn_3fXTcWg>
Cc: tls@ietf.org
Subject: Re: [TLS] RSA-PSS in TLS 1.3
Precedence: list

On Fri, 4 Mar 2016 14:45:13 +0100 (CET)
mrex@sap.com (Martin Rex) wrote:

> What should have adopted for TLSv1.2 already, however, is the less
> forgiving PKCS#1 v1.5 signature check, that re-creates the encoding
> and then compares the recreated inner encoding with the RSA-decrypted
> encoding only.  Get rid of the de-padding and get rid of the ASN.1
> decoding of the contents.

The Problem with this is that you're relying on the implementor to get
it right. Sure, you're giving them a receip how they could implement
the check to be correct, but you have no way of checking whether they
actually follow that receip.
Given all past experiences I'd bet you can write whatever you want in
your new standards document, no implementor will replace their
(seemingly working, but insecure) PKCS #1 1.5 implementation as long
as it works, just because you say they have to do it in a
different way than they did in the past.

> The *huge* advantage of PKCS#1 v1.5 signatures over RSA-PSS and ECDSA
> signatures is that one can clearly distinguish "wrong public key"
> from "signature does not fit plaintext" errors, and loosing this
> capability makes certain kinds of programming goofs (plus a few
> admin configuration goofs) much harder to distinguish from
> data corruption during transfer.

Actually I see this as a disadvantage. Separating different error
states has been the source of a whole number of vulnerabilities. The
original Bleichenbacher attack (and all its variants including drown)
is based on separating different errors, the Vaudenay attack is.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42

Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
Re: [TLS] RSA-PSS in TLS 1.3 Russ Housley
Re: [TLS] RSA-PSS in TLS 1.3 Joseph Salowey
Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
[TLS] RSA-PSS in TLS 1.3 Joseph Salowey
Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
Re: [TLS] RSA-PSS in TLS 1.3 Benjamin Beurdouche
Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
Re: [TLS] RSA-PSS in TLS 1.3 Brian Smith
Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
Re: [TLS] RSA-PSS in TLS 1.3 Salz, Rich
Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
Re: [TLS] RSA-PSS in TLS 1.3 Dave Garrett
Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
Re: [TLS] RSA-PSS in TLS 1.3 Martin Thomson
Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
Re: [TLS] RSA-PSS in TLS 1.3 Martin Thomson
Re: [TLS] RSA-PSS in TLS 1.3 Nikos Mavrogiannopoulos
Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
Re: [TLS] RSA-PSS in TLS 1.3 Alyssa Rowan
Re: [TLS] RSA-PSS in TLS 1.3 Watson Ladd
Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
Re: [TLS] RSA-PSS in TLS 1.3 Martin Thomson
Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
Re: [TLS] RSA-PSS in TLS 1.3 Rob Stradling
Re: [TLS] RSA-PSS in TLS 1.3 Rob Stradling
Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
Re: [TLS] RSA-PSS in TLS 1.3 Eric Rescorla
Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
Re: [TLS] RSA-PSS in TLS 1.3 Dave Garrett
Re: [TLS] RSA-PSS in TLS 1.3 Dang, Quynh (Fed)
Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
Re: [TLS] RSA-PSS in TLS 1.3 Dang, Quynh (Fed)
Re: [TLS] RSA-PSS in TLS 1.3 Blumenthal, Uri - 0553 - MITLL
Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
Re: [TLS] RSA-PSS in TLS 1.3 Dang, Quynh (Fed)
Re: [TLS] RSA-PSS in TLS 1.3 Nikos Mavrogiannopoulos
Re: [TLS] RSA-PSS in TLS 1.3 Martin Rex
Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
Re: [TLS] RSA-PSS in TLS 1.3 Martin Rex
Re: [TLS] RSA-PSS in TLS 1.3 Fedor Brunner
Re: [TLS] RSA-PSS in TLS 1.3 Martin Rex
Re: [TLS] RSA-PSS in TLS 1.3 Hubert Kario
Re: [TLS] RSA-PSS in TLS 1.3 Nikos Mavrogiannopoulos
Re: [TLS] RSA-PSS in TLS 1.3 Hannes Mehnert
Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
Re: [TLS] RSA-PSS in TLS 1.3 Ilari Liusvaara
Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
Re: [TLS] RSA-PSS in TLS 1.3 Hubert Kario
Re: [TLS] RSA-PSS in TLS 1.3 Tony Arcieri
[TLS] (TLS1.3 - algorithm agility support is enou… Rene Struik
Re: [TLS] (TLS1.3 - algorithm agility support is … Blumenthal, Uri - 0553 - MITLL
Re: [TLS] (TLS1.3 - algorithm agility support is … Scott Fluhrer (sfluhrer)
Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
Re: [TLS] RSA-PSS in TLS 1.3 Hubert Kario
Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
Re: [TLS] RSA-PSS in TLS 1.3 Hubert Kario
Re: [TLS] RSA-PSS in TLS 1.3 Tony Arcieri