IETF Logo Mail Archive

Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Tue, 12 September 2017 18:33 UTC

Return-Path: <prvs=04280396fd=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39426132EC0 for <tls@ietfa.amsl.com>; Tue, 12 Sep 2017 11:33:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kgv1qObUMdhm for <tls@ietfa.amsl.com>; Tue, 12 Sep 2017 11:33:27 -0700 (PDT)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) by ietfa.amsl.com (Postfix) with ESMTP id 09A6A126B6D for <tls@ietf.org>; Tue, 12 Sep 2017 11:33:25 -0700 (PDT)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTP id v8CIXMTC013876; Tue, 12 Sep 2017 14:33:22 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Hubert Kario <hkario@redhat.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
Thread-Index: AQHTKPY4UhEi4+aSakGFOcW9qXdI/qKwTHOAgAE+SwCAAAg8AIAAGaSAgAAeLAD//76AAIAAS62A///EVIA=
Date: Tue, 12 Sep 2017 18:33:21 +0000
Message-ID: <C63A6903-6F5E-4975-A160-94312A549D79@ll.mit.edu>
References: <20170908225948.GC31695@al> <5159391.MM5YjT3ssF@pintsize.usersys.redhat.com> <21C4A934-8B10-40A8-950F-0E7B61F08613@ll.mit.edu> <10457521.MfgfQs1Zne@pintsize.usersys.redhat.com>
In-Reply-To: <10457521.MfgfQs1Zne@pintsize.usersys.redhat.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.25.0.170815
x-originating-ip: [172.25.177.12]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3588071601_482689662"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-09-12_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1709120258
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8OsAOQ6ae4yN3rD0xfbQgw9usJk>
Subject: Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2017 18:33:31 -0000

    What Stephen is pointing at, is a server certificate (End Entity certificate) 
    when using RSA-PSS public key id in the X.509 certificate can have RSA-PSS 
    parameters in the public key id or can have them omitted.

Yes. And I concur with him that it is better to omit them, enforcing the default. The default being:
- Hash algorithm the same as specified in Signature Algorithm
- MGF1 hash is the same as above
- Salt length same as digest length above

    When the parameters 
    are omitted, it means that that key can be used for signing with any hash 
    (SHA-1, SHA-256, SHA-384, SHA3-256, etc.) but must be used with rsa-pss 
    padding scheme.

Not quite. Since this key is a part of the given certificate – RSA-PSS padding scheme should be used with the same hash as “Signature Algorithm” specifies.

    When the parameters are present the hash is set in stone and 
    that key can then be used to sign with one hash and one hash only - the hash 
    that is specified in certificate (and rsa-pss padding).

I think the point Stephen was making is that Signature Algorithm specifies a hash – and there’s no reason to use a different one for MGF1.
    
    Now, if the certificate specifies in parameters SHA384 hash and client 
    advertises support only for SHA256 with RSA-PSS, the server should switch to 
    (e.g.) ECDSA certificate that does not have that limitation and continue 
    connection instead of aborting the connection (very bad) or sending 
    certificate which most likely will be rejected by client as not 
    understandable/unverifiable (bad).

This is a different question. The point being addressed here is that each certificate is internally consistent, using the same hash for all the purposes within that certificate.

If the server’s certificate is signed with SHA384, so be it. There’s no reason for a client to not support SHA384 *for signature verification*, as hardware token restrictions shouldn’t apply here – it’s software-based validation.
    
    What I've added is that that limitation may not come from the certificate but 
    may come from the cryptographic module (software or hardware) that implements 
    rsa-pss with just one or two hashes, irrespective of rsa-pss parameters in the 
    certificate public key id.

The cryptographic module would perform RSA-PSS *signature* with whatever hashes it can. It won’t bother with *validation*, so this module’s limitations shouldn’t matter.
    
    So, I'm not sure what hash you are suggesting should be "the same everywhere".

Within one certificate – one hash. I.e., *no* SHA512 in Signature Algorithm, SHA384 for message hash in SHA384-RSA-PKCS-PSS, SHA256 for MGF1.

    I'm quite sure you're not suggesting that we should limit TLS 1.3 to SHA256 
    only (no SHA384 or SHA512), are you?

Oh no – I’m eccentric but not quite insane yet. ;-)

v2.23.0 | Report a Bug | By Email