Re: [TLS] Using RSA PSS in TLS
mrex@sap.com (Martin Rex) Thu, 15 January 2015 00:50 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2488E1B2A86 for <tls@ietfa.amsl.com>; Wed, 14 Jan 2015 16:50:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.251
X-Spam-Level:
X-Spam-Status: No, score=-6.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DYEFenr7c8P8 for <tls@ietfa.amsl.com>; Wed, 14 Jan 2015 16:50:34 -0800 (PST)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 522451B2A72 for <tls@ietf.org>; Wed, 14 Jan 2015 16:50:34 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 455683A403; Thu, 15 Jan 2015 01:50:32 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 286FA425C9; Thu, 15 Jan 2015 01:50:32 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 1FBC41B0EA; Thu, 15 Jan 2015 01:50:32 +0100 (CET)
In-Reply-To: <20150115013149.0185bea4@pc>
To: Hanno Böck <hanno@hboeck.de>
Date: Thu, 15 Jan 2015 01:50:32 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20150115005032.1FBC41B0EA@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/AdN0nliyeTQOcrXlHAs24JjjX4E>
Cc: tls@ietf.org
Subject: Re: [TLS] Using RSA PSS in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jan 2015 00:50:40 -0000
Hanno Böck wrote: [ Charset UTF-8 unsupported, converting... ] > On Wed, 14 Jan 2015 15:32:42 +0100 > CodesInChaos <codesinchaos@gmail.com> wrote: > > > I consider the risk of PKCS#1v1.5 encryption far bigger than the risk > > of PKCS#1v1.5 signatures. > > I'm not aware of any attack against PKCS#1v1.5 signatures, they > > merely lack a security proof. > > Bleichenbacher's signature forgery attack [1], which has recently been > re-discovered in combination with some ASN.1 issues under the name > BERserk [2]. > > Sure, these are "mere implementation issues". You can do PKCS #1 1.5 > signatures right - just like you can do PKCS #1 1.5 encryption right. > It's just that people did it wrong multiple times. I don't see simliar > risks with PSS, it's the much more robust solution. The problem really is the original bogus approach how to _verify_ PKCS#1 v1.5 signatures. If the spec was tightened to prohibit *all* kinds of parsing of the RSA-decrypted BT01 padding signature plaintext, and instead required rebuilding of the BT01 padding from the input hash value and input hash oid, and comparison of the newly composed result with what the RSA decryption returned, then none of the parser problems for RSA PKCS#1 v1.5 signatures would have existed. That approach to RSA signature verification is actually the one recommended by PKCS#1 v2.1 for the RSASSA-PKCS1-V1_5-VERIFY operation. https://tools.ietf.org/html/rfc3447#section-8.2.2 And given its age (rfc3447 was published in February 2003), the more robust verification _could_ have been required for TLSv1.1 (2006) and TLSv1.2 (2008), but such improvements seem to have been rotting in the same forgotten drawer as Serge Vaudenay's proposed fix to the CBC mac-pad-encrypt weakness... -Martin
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Santosh Chokhani
- [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Hanno Böck
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Santosh Chokhani
- Re: [TLS] Using RSA PSS in TLS Santosh Chokhani
- Re: [TLS] Using RSA PSS in TLS Rob Stradling
- Re: [TLS] Using RSA PSS in TLS Martin Rex
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Florian Weimer
- Re: [TLS] Using RSA PSS in TLS CodesInChaos
- Re: [TLS] Using RSA PSS in TLS Fedor Brunner
- Re: [TLS] Using RSA PSS in TLS Hanno Böck
- Re: [TLS] Using RSA PSS in TLS Hanno Böck
- Re: [TLS] Using RSA PSS in TLS Martin Rex
- Re: [TLS] Using RSA PSS in TLS Geoffrey Keating
- Re: [TLS] Using RSA PSS in TLS Watson Ladd
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Martin Rex
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann