Re: [TLS] Using RSA PSS in TLS
Fedor Brunner <fedor.brunner@azet.sk> Wed, 14 January 2015 17:23 UTC
Return-Path: <fedor.brunner@azet.sk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17DE41A910A for <tls@ietfa.amsl.com>; Wed, 14 Jan 2015 09:23:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.105
X-Spam-Level:
X-Spam-Status: No, score=-0.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HELO_EQ_SK=1.35, HOST_EQ_SK=0.555, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sp6JqvJppbaf for <tls@ietfa.amsl.com>; Wed, 14 Jan 2015 09:23:28 -0800 (PST)
Received: from smtp-01-out.s.azet.sk (smtp-09-out.s.azet.sk [91.235.53.34]) by ietfa.amsl.com (Postfix) with ESMTP id B9B461A90F0 for <tls@ietf.org>; Wed, 14 Jan 2015 09:23:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=azet.sk; s=azet; t=1421256207; bh=QDrh5hoqe8DPDFYdmlkeNKTNEo76vVffYCmw8y26738=; h=Date:From:To:Subject:References:In-Reply-To:From; b=Se5SEwSR+FVFy6h6Uwll47T8w4Y2qZNJqaPl0iEYqfx7/KD5XzpGNSU0VHAknBA7v 1+GAcG68sJefzrm0bVtPquWeMXlk+op0vaXOyYFV1vl9qOwFbA9dBSXALRpYo7H1dC FOLaBpGFT+qYJj6i+z0Kcce5go4c7tSEb7aAQEPM=
X-Virus-Scanned: by AntiSpam at azet.sk
Received: from [0.0.0.0] (euserv4-10.rana.at [81.7.8.101]) (Authenticated sender: fedor.brunner@azet.sk) by smtp.azet.sk (Postfix) with ESMTPA id 0A32286 for <tls@ietf.org>; Wed, 14 Jan 2015 18:23:23 +0100 (CET)
X-SenderID: Sendmail Sender-ID Filter v1.0.0 smtp.azet.sk 0A32286
Authentication-Results: smtp.azet.sk; sender-id=fail (NotPermitted) header.from=fedor.brunner@azet.sk; auth=pass (PLAIN); spf=fail (NotPermitted) smtp.mfrom=fedor.brunner@azet.sk
Message-ID: <54B6A607.7080009@azet.sk>
Date: Wed, 14 Jan 2015 18:23:19 +0100
From: Fedor Brunner <fedor.brunner@azet.sk>
MIME-Version: 1.0
To: tls@ietf.org
References: <525BADBD.8020007@secunet.com> <54B67A19.9010507@redhat.com> <CAK9dnSzJ3SzO0aBAU5RvywjU-HQ1o12De8+PYUuyy1sUdR7+CA@mail.gmail.com>
In-Reply-To: <CAK9dnSzJ3SzO0aBAU5RvywjU-HQ1o12De8+PYUuyy1sUdR7+CA@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/8drJMbUcPn0NEomP_1wtpZuUDVg>
Subject: Re: [TLS] Using RSA PSS in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jan 2015 17:23:31 -0000
Better solution would be to use RSA-KEM (see basic description in RFC 5990) instead of PKCS#1v1.5 encryption. The RSA-KEM is secure in the random oracle model (modelling the KDF as a random oracle), with very good security guarantees: Johan Hastad and Mats Naslund. The security of all RSA and discrete log bits. http://www.nada.kth.se/~johanh/hnrsaacm.pdf Victor Shoup. A Proposal for an ISO Standard for Public Key Encryption. https://eprint.iacr.org/2001/112.pdf On 14.01.2015 15:32, CodesInChaos wrote: > On Wed, Jan 14, 2015 at 3:15 PM, Florian Weimer <fweimer@redhat.com> wrote: >> What about changing PFS for the RSA ciphersuites so that they continue to >> use RSA encryption, and not rely on an RSA signature for server >> authentication? > > Switching from PKCS#1v1.5 encryption to OAEP is just as tricky as > switching from PKCS#1v1.5 signing to PSS signatures. > > I consider the risk of PKCS#1v1.5 encryption far bigger than the risk > of PKCS#1v1.5 signatures. > I'm not aware of any attack against PKCS#1v1.5 signatures, they > merely lack a security proof. > PKCS#1v1.5 encryption is problematic since detectable decryption > failures can act as an oracle. Implementations need to be really > careful to avoid these. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Santosh Chokhani
- [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Hanno Böck
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Santosh Chokhani
- Re: [TLS] Using RSA PSS in TLS Santosh Chokhani
- Re: [TLS] Using RSA PSS in TLS Rob Stradling
- Re: [TLS] Using RSA PSS in TLS Martin Rex
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Florian Weimer
- Re: [TLS] Using RSA PSS in TLS CodesInChaos
- Re: [TLS] Using RSA PSS in TLS Fedor Brunner
- Re: [TLS] Using RSA PSS in TLS Hanno Böck
- Re: [TLS] Using RSA PSS in TLS Hanno Böck
- Re: [TLS] Using RSA PSS in TLS Martin Rex
- Re: [TLS] Using RSA PSS in TLS Geoffrey Keating
- Re: [TLS] Using RSA PSS in TLS Watson Ladd
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Martin Rex
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann