Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Tue, 12 September 2017 18:33 UTC
Return-Path: <prvs=04280396fd=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39426132EC0 for <tls@ietfa.amsl.com>; Tue, 12 Sep 2017 11:33:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kgv1qObUMdhm for <tls@ietfa.amsl.com>; Tue, 12 Sep 2017 11:33:27 -0700 (PDT)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) by ietfa.amsl.com (Postfix) with ESMTP id 09A6A126B6D for <tls@ietf.org>; Tue, 12 Sep 2017 11:33:25 -0700 (PDT)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTP id v8CIXMTC013876; Tue, 12 Sep 2017 14:33:22 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Hubert Kario <hkario@redhat.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
Thread-Index: AQHTKPY4UhEi4+aSakGFOcW9qXdI/qKwTHOAgAE+SwCAAAg8AIAAGaSAgAAeLAD//76AAIAAS62A///EVIA=
Date: Tue, 12 Sep 2017 18:33:21 +0000
Message-ID: <C63A6903-6F5E-4975-A160-94312A549D79@ll.mit.edu>
References: <20170908225948.GC31695@al> <5159391.MM5YjT3ssF@pintsize.usersys.redhat.com> <21C4A934-8B10-40A8-950F-0E7B61F08613@ll.mit.edu> <10457521.MfgfQs1Zne@pintsize.usersys.redhat.com>
In-Reply-To: <10457521.MfgfQs1Zne@pintsize.usersys.redhat.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.25.0.170815
x-originating-ip: [172.25.177.12]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3588071601_482689662"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-09-12_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1709120258
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8OsAOQ6ae4yN3rD0xfbQgw9usJk>
Subject: Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2017 18:33:31 -0000
What Stephen is pointing at, is a server certificate (End Entity certificate) when using RSA-PSS public key id in the X.509 certificate can have RSA-PSS parameters in the public key id or can have them omitted. Yes. And I concur with him that it is better to omit them, enforcing the default. The default being: - Hash algorithm the same as specified in Signature Algorithm - MGF1 hash is the same as above - Salt length same as digest length above When the parameters are omitted, it means that that key can be used for signing with any hash (SHA-1, SHA-256, SHA-384, SHA3-256, etc.) but must be used with rsa-pss padding scheme. Not quite. Since this key is a part of the given certificate – RSA-PSS padding scheme should be used with the same hash as “Signature Algorithm” specifies. When the parameters are present the hash is set in stone and that key can then be used to sign with one hash and one hash only - the hash that is specified in certificate (and rsa-pss padding). I think the point Stephen was making is that Signature Algorithm specifies a hash – and there’s no reason to use a different one for MGF1. Now, if the certificate specifies in parameters SHA384 hash and client advertises support only for SHA256 with RSA-PSS, the server should switch to (e.g.) ECDSA certificate that does not have that limitation and continue connection instead of aborting the connection (very bad) or sending certificate which most likely will be rejected by client as not understandable/unverifiable (bad). This is a different question. The point being addressed here is that each certificate is internally consistent, using the same hash for all the purposes within that certificate. If the server’s certificate is signed with SHA384, so be it. There’s no reason for a client to not support SHA384 *for signature verification*, as hardware token restrictions shouldn’t apply here – it’s software-based validation. What I've added is that that limitation may not come from the certificate but may come from the cryptographic module (software or hardware) that implements rsa-pss with just one or two hashes, irrespective of rsa-pss parameters in the certificate public key id. The cryptographic module would perform RSA-PSS *signature* with whatever hashes it can. It won’t bother with *validation*, so this module’s limitations shouldn’t matter. So, I'm not sure what hash you are suggesting should be "the same everywhere". Within one certificate – one hash. I.e., *no* SHA512 in Signature Algorithm, SHA384 for message hash in SHA384-RSA-PKCS-PSS, SHA256 for MGF1. I'm quite sure you're not suggesting that we should limit TLS 1.3 to SHA256 only (no SHA384 or SHA512), are you? Oh no – I’m eccentric but not quite insane yet. ;-)
- [TLS] RSASSA-PSS in certificates and "signature_a… Peter Wu
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Ilari Liusvaara
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Dr Stephen Henson
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Eric Rescorla
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Nick Sullivan
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Nikos Mavrogiannopoulos
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Ilari Liusvaara
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Martin Rex
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Ilari Liusvaara
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Martin Rex
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Dr Stephen Henson
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Nikos Mavrogiannopoulos
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Dr Stephen Henson
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Eric Rescorla
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario