Re: [TLS] Using RSA PSS in TLS

mrex@sap.com (Martin Rex) Thu, 15 January 2015 00:50 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2488E1B2A86 for <tls@ietfa.amsl.com>; Wed, 14 Jan 2015 16:50:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.251
X-Spam-Level:
X-Spam-Status: No, score=-6.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DYEFenr7c8P8 for <tls@ietfa.amsl.com>; Wed, 14 Jan 2015 16:50:34 -0800 (PST)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 522451B2A72 for <tls@ietf.org>; Wed, 14 Jan 2015 16:50:34 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 455683A403; Thu, 15 Jan 2015 01:50:32 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 286FA425C9; Thu, 15 Jan 2015 01:50:32 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 1FBC41B0EA; Thu, 15 Jan 2015 01:50:32 +0100 (CET)
In-Reply-To: <20150115013149.0185bea4@pc>
To: Hanno Böck <hanno@hboeck.de>
Date: Thu, 15 Jan 2015 01:50:32 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20150115005032.1FBC41B0EA@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/AdN0nliyeTQOcrXlHAs24JjjX4E>
Cc: tls@ietf.org
Subject: Re: [TLS] Using RSA PSS in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jan 2015 00:50:40 -0000

Hanno Böck wrote:

[ Charset UTF-8 unsupported, converting... ]
> On Wed, 14 Jan 2015 15:32:42 +0100
> CodesInChaos <codesinchaos@gmail.com> wrote:
> 
> > I consider the risk of PKCS#1v1.5 encryption far bigger than the risk
> > of PKCS#1v1.5 signatures.
> > I'm not aware of any attack against  PKCS#1v1.5 signatures, they
> > merely lack a security proof.
> 
> Bleichenbacher's signature forgery attack [1], which has recently been
> re-discovered in combination with some ASN.1 issues under the name
> BERserk [2].
> 
> Sure, these are "mere implementation issues". You can do PKCS #1 1.5
> signatures right - just like you can do PKCS #1 1.5 encryption right.
> It's just that people did it wrong multiple times. I don't see simliar
> risks with PSS, it's the much more robust solution.

The problem really is the original bogus approach how to _verify_
PKCS#1 v1.5 signatures.
If the spec was tightened to prohibit *all* kinds of parsing
of the RSA-decrypted BT01 padding signature plaintext,
and instead required rebuilding of the BT01 padding from the input hash
value and input hash oid, and comparison of the newly composed result
with what the RSA decryption returned, then none of the parser problems
for RSA PKCS#1 v1.5 signatures would have existed.

That approach to RSA signature verification is actually the one
recommended by PKCS#1 v2.1 for the RSASSA-PKCS1-V1_5-VERIFY operation.

  https://tools.ietf.org/html/rfc3447#section-8.2.2

And given its age (rfc3447 was published in February 2003),
the more robust verification _could_ have been required for
TLSv1.1 (2006) and TLSv1.2 (2008), but such improvements seem
to have been rotting in the same forgotten drawer as Serge Vaudenay's
proposed fix to the CBC mac-pad-encrypt weakness...


-Martin