IETF Logo Mail Archive

Re: [TLS] PSS and TLS 1.3

Nikos Mavrogiannopoulos <nmav@redhat.com> Mon, 06 February 2017 00:12 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9429F129560 for <tls@ietfa.amsl.com>; Sun, 5 Feb 2017 16:12:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.923
X-Spam-Level:
X-Spam-Status: No, score=-6.923 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRD_FTxPW1cn for <tls@ietfa.amsl.com>; Sun, 5 Feb 2017 16:12:10 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61CC6129557 for <tls@ietf.org>; Sun, 5 Feb 2017 16:12:10 -0800 (PST)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E51276315A; Mon, 6 Feb 2017 00:12:10 +0000 (UTC)
Received: from ovpn-116-19.ams2.redhat.com (ovpn-116-19.ams2.redhat.com [10.36.116.19]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v160C6PN003870 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 5 Feb 2017 19:12:08 -0500
Message-ID: <1486339925.22876.1.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Date: Mon, 06 Feb 2017 01:12:05 +0100
In-Reply-To: <20170123105241.GB28101@LK-Perkele-V2.elisa-laajakaista.fi>
References: <e993599c-f69d-2db3-f3f3-f40caf810bd6@drh-consultancy.co.uk> <1485158728.3068.5.camel@redhat.com> <20170123105241.GB28101@LK-Perkele-V2.elisa-laajakaista.fi>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Mon, 06 Feb 2017 00:12:11 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/87QsmbKjo-KtInI9gk-PGjW549o>
Cc: "tls@ietf.org list" <tls@ietf.org>
Subject: Re: [TLS] PSS and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2017 00:12:11 -0000

On Mon, 2017-01-23 at 12:52 +0200, Ilari Liusvaara wrote:
> On Mon, Jan 23, 2017 at 09:05:28AM +0100, Nikos Mavrogiannopoulos
> wrote:
> > On Fri, 2017-01-20 at 17:43 +0000, Dr Stephen Henson wrote:
> > 
> > > Additionally PSS signatures (see RFC4055) can be used with RSA
> > > keys
> > > (rsaEncryption OID) and RSA-PSS only keys (id-RSASSA-PSS OID).
> > > Does
> > > the RSASSA-PSS mean that both types must be accepted?
> > 
> > That's a quite interesting finding. Although that protocol behavior
> > seems to ease transition to RSASSA-PSS, it also paves the field for
> > new
> > cross protocol attacks. A server which can sign with either of
> > RSASSA-
> > PSS and RSA-PKCS1 and the same key is certainly less secure than a
> > server which can sign with either of them. The only way to enforce
> > that
> > a key is restricted is by requiring the id-RSASSA-PSS OID for
> > RSASSA-
> > PSS.
> 
> Unfortunately, dedicated RSA-PSS keys are pretty much undeployable,
> and
> requirement to use those would be de facto the same as removing RSA
> server signatures entierely from TLS 1.3[1].
> 
> I don't know any CA that would certify RSA-PSS keys. And adding new
> key
> types is a slow process. Heck, Certifying ECDSA keys are poorly
> supported among CAs[2].
> 
> And looking at RSA-PKCS1 and RSA-PSS, it doesn't seem likely that
> there
> exists a EM that is both valid in RSA-PKCS1 and RSA-PSS for any
> messages, unless keysizes are too small, hashes are too large or
> salts are too large.

The issue is that we cannot tell for sure. Any proof of security 
assumes that the keys are restricted to a single scheme. So I think we
got into a trap where we intended to increase security, while in fact
reduced the protocol's security, by ending-up adding RSA-PSS in a way
that can share keys with PKCS#1 1.5. I think that we should treat RSA-
PSS as the mean to increase security rather than the end-goal.

Even if the approach of separating keys would mean that RSA-PSS will
not be deployed immediately, it will allow implementors to provide
well-behaved clients that will refuse to mix marked as RSA-PSS keys
with the legacy ones. On the current protocol description it is
impossible for an implementor to do that. The reason is that if one
does that, his software will not be functional, will fail to connect to
several web servers, and thus will have to compromise (functionality
always wins over security).


> [2] Some commercial CAs (don't have list) and Let's Encrypt (signed 
> with RSA[3] and even then most ACME software can't handle those)..

TLS 1.3 requiring a different key type, will provide an incentive for
them to update.

regards,
Nikos

v2.23.0 | Report a Bug | By Email