Re: [TLS] RSA-PSS in TLS 1.3

Hanno Böck <> Fri, 04 March 2016 13:55 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B9A811A00B6 for <>; Fri, 4 Mar 2016 05:55:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id B_l_16f9ixHz for <>; Fri, 4 Mar 2016 05:55:27 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B63301A0113 for <>; Fri, 4 Mar 2016 05:55:27 -0800 (PST)
Received: from pc1 ( [::ffff:]) (AUTH: LOGIN, TLS: TLSv1/SSLv3, 128bits, ECDHE-RSA-AES128-GCM-SHA256) by with ESMTPSA; Fri, 04 Mar 2016 14:55:23 +0100 id 0000000000000027.0000000056D993CB.0000306F
Date: Fri, 4 Mar 2016 14:55:25 +0100
From: Hanno =?UTF-8?B?QsO2Y2s=?= <>
To: (Martin Rex)
Message-ID: <20160304145525.1fe5cb63@pc1>
In-Reply-To: <>
References: <20160229190021.59516808@pc1> <>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary=""
Archived-At: <>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Mar 2016 13:55:29 -0000

On Fri, 4 Mar 2016 14:45:13 +0100 (CET) (Martin Rex) wrote:

> What should have adopted for TLSv1.2 already, however, is the less
> forgiving PKCS#1 v1.5 signature check, that re-creates the encoding
> and then compares the recreated inner encoding with the RSA-decrypted
> encoding only.  Get rid of the de-padding and get rid of the ASN.1
> decoding of the contents.

The Problem with this is that you're relying on the implementor to get
it right. Sure, you're giving them a receip how they could implement
the check to be correct, but you have no way of checking whether they
actually follow that receip.
Given all past experiences I'd bet you can write whatever you want in
your new standards document, no implementor will replace their
(seemingly working, but insecure) PKCS #1 1.5 implementation as long
as it works, just because you say they have to do it in a
different way than they did in the past.

> The *huge* advantage of PKCS#1 v1.5 signatures over RSA-PSS and ECDSA
> signatures is that one can clearly distinguish "wrong public key"
> from "signature does not fit plaintext" errors, and loosing this
> capability makes certain kinds of programming goofs (plus a few
> admin configuration goofs) much harder to distinguish from
> data corruption during transfer.

Actually I see this as a disadvantage. Separating different error
states has been the source of a whole number of vulnerabilities. The
original Bleichenbacher attack (and all its variants including drown)
is based on separating different errors, the Vaudenay attack is.

Hanno Böck