Re: [TLS] Using RSA PSS in TLS

Fedor Brunner <fedor.brunner@azet.sk> Wed, 14 January 2015 17:23 UTC

Return-Path: <fedor.brunner@azet.sk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17DE41A910A for <tls@ietfa.amsl.com>; Wed, 14 Jan 2015 09:23:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.105
X-Spam-Level:
X-Spam-Status: No, score=-0.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HELO_EQ_SK=1.35, HOST_EQ_SK=0.555, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sp6JqvJppbaf for <tls@ietfa.amsl.com>; Wed, 14 Jan 2015 09:23:28 -0800 (PST)
Received: from smtp-01-out.s.azet.sk (smtp-09-out.s.azet.sk [91.235.53.34]) by ietfa.amsl.com (Postfix) with ESMTP id B9B461A90F0 for <tls@ietf.org>; Wed, 14 Jan 2015 09:23:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=azet.sk; s=azet; t=1421256207; bh=QDrh5hoqe8DPDFYdmlkeNKTNEo76vVffYCmw8y26738=; h=Date:From:To:Subject:References:In-Reply-To:From; b=Se5SEwSR+FVFy6h6Uwll47T8w4Y2qZNJqaPl0iEYqfx7/KD5XzpGNSU0VHAknBA7v 1+GAcG68sJefzrm0bVtPquWeMXlk+op0vaXOyYFV1vl9qOwFbA9dBSXALRpYo7H1dC FOLaBpGFT+qYJj6i+z0Kcce5go4c7tSEb7aAQEPM=
X-Virus-Scanned: by AntiSpam at azet.sk
Received: from [0.0.0.0] (euserv4-10.rana.at [81.7.8.101]) (Authenticated sender: fedor.brunner@azet.sk) by smtp.azet.sk (Postfix) with ESMTPA id 0A32286 for <tls@ietf.org>; Wed, 14 Jan 2015 18:23:23 +0100 (CET)
X-SenderID: Sendmail Sender-ID Filter v1.0.0 smtp.azet.sk 0A32286
Authentication-Results: smtp.azet.sk; sender-id=fail (NotPermitted) header.from=fedor.brunner@azet.sk; auth=pass (PLAIN); spf=fail (NotPermitted) smtp.mfrom=fedor.brunner@azet.sk
Message-ID: <54B6A607.7080009@azet.sk>
Date: Wed, 14 Jan 2015 18:23:19 +0100
From: Fedor Brunner <fedor.brunner@azet.sk>
MIME-Version: 1.0
To: tls@ietf.org
References: <525BADBD.8020007@secunet.com> <54B67A19.9010507@redhat.com> <CAK9dnSzJ3SzO0aBAU5RvywjU-HQ1o12De8+PYUuyy1sUdR7+CA@mail.gmail.com>
In-Reply-To: <CAK9dnSzJ3SzO0aBAU5RvywjU-HQ1o12De8+PYUuyy1sUdR7+CA@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/8drJMbUcPn0NEomP_1wtpZuUDVg>
Subject: Re: [TLS] Using RSA PSS in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jan 2015 17:23:31 -0000

Better solution would be to use RSA-KEM (see basic description in RFC
5990) instead of PKCS#1v1.5 encryption.

The RSA-KEM is secure in the random oracle model (modelling the KDF as a
random oracle), with very good security guarantees:

Johan Hastad and Mats Naslund. The security of all RSA and discrete log
bits.
http://www.nada.kth.se/~johanh/hnrsaacm.pdf

Victor Shoup. A Proposal for an ISO Standard for Public Key Encryption.
https://eprint.iacr.org/2001/112.pdf

On 14.01.2015 15:32, CodesInChaos wrote:
> On Wed, Jan 14, 2015 at 3:15 PM, Florian Weimer <fweimer@redhat.com> wrote:
>> What about changing PFS for the RSA ciphersuites so that they continue to
>> use RSA encryption, and not rely on an RSA signature for server
>> authentication?
> 
> Switching from PKCS#1v1.5 encryption to OAEP is just as tricky as
> switching from PKCS#1v1.5 signing to PSS signatures.
> 
> I consider the risk of PKCS#1v1.5 encryption far bigger than the risk
> of PKCS#1v1.5 signatures.
> I'm not aware of any attack against  PKCS#1v1.5 signatures, they
> merely lack a security proof.
> PKCS#1v1.5 encryption is problematic since detectable decryption
> failures can act as an oracle. Implementations need to be really
> careful to avoid these.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>