Re: [TLS] RSA-PSS in TLS 1.3
Watson Ladd <watsonbladd@gmail.com> Tue, 01 March 2016 18:26 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C45E71B37D8 for <tls@ietfa.amsl.com>; Tue, 1 Mar 2016 10:26:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 13tFwiZWYiHK for <tls@ietfa.amsl.com>; Tue, 1 Mar 2016 10:26:45 -0800 (PST)
Received: from mail-vk0-x229.google.com (mail-vk0-x229.google.com [IPv6:2607:f8b0:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79CCB1B34C1 for <tls@ietf.org>; Tue, 1 Mar 2016 10:26:37 -0800 (PST)
Received: by mail-vk0-x229.google.com with SMTP id e185so176686410vkb.1 for <tls@ietf.org>; Tue, 01 Mar 2016 10:26:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=vQXkITl3Qd3tyu01tbT+zAJ3EnvKax3e7qj++B5OeEs=; b=RPd32DLrj6eu7SL15wu/tlI5cB6iu9WxDSt5l1rF59sTBQl+c3ut7WIDGVQLYXwThA e7tk6ReqgUdBXTnwB1qy8gQnHQ2bYMryWlLfFnO825GrFsJ3CEIfP0TplzgJqtA1GEMq u02UjTOJySRJOGR61/lA7h1mtchMT11m+x54fNJH/I/icuSRlcD1rz4dsH8fZNWitnai +DoNHZomWKPLJsnbpoyNqxdysDS2ITIugQSZNdlY//TC908pCNR5k5ShdBapMMN1wEUN kGx4T3CiixW56rlFeH8YrKgc9ChDcGEls3nzAUQcAHiMN5yfbtObsjBfWuXRUmX40Nte Ae3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=vQXkITl3Qd3tyu01tbT+zAJ3EnvKax3e7qj++B5OeEs=; b=YGjegcRZP8cgOUerjBLIpAh6zY5gPEZM8zUKI2THRdMfIKtPxXtUri/ldqdlfU5twb rM69IxDnathhUZsp+1qJUK1PuirD3KfU8iCXV+FbXZEGfIkYH2ub4JtAGTc5D6VRTGI5 44PNaD/2rbc3scQk7TD+eDLnQo7CV+u0ZWcSoorrNOeTPbtlFm4Yq9HoKLUH2ZqwBNyj +DnCjDytzalSRgvtnVpucJeXm1PETRf/sgCOMFqCSRNjev0ekBxP/mxy788zTHXNCQNg /grFAYtN/IAJ4MEglctdLYLAyYdMuyheIH9/F9aHMvRDL24jlqI9KRBnhKGTKd6W/719 mo1w==
X-Gm-Message-State: AD7BkJKwm/iFj0kx6cTw8w1QHmaVpytA8tFN1eAkLG6YF9DVnHTM4nBfDdUxIkfqyZS/3AU5FwBJRdVndeV/Jg==
MIME-Version: 1.0
X-Received: by 10.31.162.3 with SMTP id l3mr17088284vke.68.1456856796517; Tue, 01 Mar 2016 10:26:36 -0800 (PST)
Received: by 10.176.1.183 with HTTP; Tue, 1 Mar 2016 10:26:35 -0800 (PST)
Received: by 10.176.1.183 with HTTP; Tue, 1 Mar 2016 10:26:35 -0800 (PST)
In-Reply-To: <56D5DE1D.3000708@akr.io>
References: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com> <56D4ABAD.90902@brainhub.org> <20160229233617.5466ebd3@pc1> <56D51FFB.9050909@brainhub.org> <DE710794-CA42-48E1-9AB9-A2BE2899E071@gmail.com> <56D5DE1D.3000708@akr.io>
Date: Tue, 01 Mar 2016 10:26:35 -0800
Message-ID: <CACsn0c=BOOf9z0fASaE_D_Nv1Bbck3bRj_JDZZaHnk-5d5x0LQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Alyssa Rowan <akr@akr.io>
Content-Type: multipart/alternative; boundary="001a114406ead85b6f052d00e7ba"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/BWKO6Y8uW1Jm7zxtHkH_GeKkigE>
Cc: tls@ietf.org
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2016 18:26:46 -0000
On Mar 1, 2016 10:23 AM, "Alyssa Rowan" <akr@akr.io> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 2016-03-01 11:35, Yoav Nir wrote: > > >>> [HB] We have an RFC for PSS since 2003. We had several attacks > >>> showing the weakness of PKCS #1 1.5. > > And so (maybe not entirely coincidentally!): another attack, dubbed > DROWN, just emerged¹, using SSLv2 as - you guessed it - a > Bleichenbacher padding oracle against RSA PKCS#1 v1.5! PSS doesn't help against Bleichenbacher attacks on encryption. The attack still can compute a private key operation. What we really need is key seperation or use of ECC certs only. > > (Please do stop me if you've heard this one before! <g>) > > >> [AJ] Why not ban PKCS #1.5 altogether from TLS 1.3? It will not > >> only make TLS 1.3 more secure, but code simpler and footprint > >> smaller. Besides, it's reasonable: TLS 1.2 already allows PSS in > >> X.509 > > A very strong +1 as far as I'm concerned. > > > [YN] It would be cool to ban PKCS#1.5 from certificates, but we > > are not the PKIX working group. Nor are we the CA/Browser forum. > > When a CA issues a certificate it has to work with every client > > and server out there, When we use TLS 1.3, the other side supports > > TLS 1.3 as well, so it’s fair to assume that it knows PSS. > > Perhaps the PKIX working group and CAB/Forum could both use a friendly > reminder not to ignore how perilous using RSA PKCS#1 v1.5 still remains? > ___ > [1] <https://drownattack.com/drown-attack-paper.pdf> > > - -- > /akr > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJW1d4SAAoJEOyEjtkWi2t6kIQP/2Ziaeu2RGqHqV1Oa6dB0+Go > iPbrrHe9C7l7yHxWfhur6ldGUnqAKyzhD5X0RHby0lbpXTcBFQjWPQ3shZE8CUV2 > mM4N2UyoAu5w1kOkSvHImeWrtdOPDTBTZhwFJjzEHtLkri6+CXzKE82B94WfhX8/ > ddQxg9uaV7eDEcW4um+vn0NG/+IuiJvfVTX7YtNj0yVSvEO7bm6/WRHsWV0FaQ+C > HtNawk+KP966PLUPH1N6vBvhNpiZkMtv3QUsKbzAQDn8SPfXHWGy2CBxPLjtIv2w > dTmY9dOxJsc7KswtM7DJQqx7azgeGAlLc8MV1PyXw1fIq2qtVI4Fk1+DNrMteC5B > cNkez/nPwR01FFj3QV5OnbpcqIX1v9nmGrpDuFw+99xcMjgRrSRc3boclV8/H0PA > k8XllkgmXj75TkqSkPV1YXVwOJAT65Uwke7tKHf4TwXSwz+qZVji+y8ZqZ7ACs2/ > Pp3IrlNLuJUmFjE+p8zhhEQU6fQjEdkAxT/3KY8/1nKxlXByFVHu1p1jZk7aWBtw > aSEDLCI4XKKAJ118yXRtHXxA7LGNujsBYCoSp1A4Rkce57Ea7iuVd4pmctbMgiTA > g3UAb7cE4NflzRyQd1Gbycu6wenovj9bOD4HRdTuADRdfGpXv8HMEG+eOUuE7DHx > Af4y+IDpfW7HTraWjiKX > =iX03 > -----END PGP SIGNATURE----- > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
- Re: [TLS] RSA-PSS in TLS 1.3 Russ Housley
- Re: [TLS] RSA-PSS in TLS 1.3 Joseph Salowey
- Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
- Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
- [TLS] RSA-PSS in TLS 1.3 Joseph Salowey
- Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
- Re: [TLS] RSA-PSS in TLS 1.3 Benjamin Beurdouche
- Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
- Re: [TLS] RSA-PSS in TLS 1.3 Brian Smith
- Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
- Re: [TLS] RSA-PSS in TLS 1.3 Salz, Rich
- Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
- Re: [TLS] RSA-PSS in TLS 1.3 Dave Garrett
- Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
- Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
- Re: [TLS] RSA-PSS in TLS 1.3 Martin Thomson
- Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
- Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
- Re: [TLS] RSA-PSS in TLS 1.3 Martin Thomson
- Re: [TLS] RSA-PSS in TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
- Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
- Re: [TLS] RSA-PSS in TLS 1.3 Alyssa Rowan
- Re: [TLS] RSA-PSS in TLS 1.3 Watson Ladd
- Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
- Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
- Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
- Re: [TLS] RSA-PSS in TLS 1.3 Martin Thomson
- Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
- Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
- Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
- Re: [TLS] RSA-PSS in TLS 1.3 Rob Stradling
- Re: [TLS] RSA-PSS in TLS 1.3 Rob Stradling
- Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
- Re: [TLS] RSA-PSS in TLS 1.3 Eric Rescorla
- Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
- Re: [TLS] RSA-PSS in TLS 1.3 Dave Garrett
- Re: [TLS] RSA-PSS in TLS 1.3 Dang, Quynh (Fed)
- Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
- Re: [TLS] RSA-PSS in TLS 1.3 Dang, Quynh (Fed)
- Re: [TLS] RSA-PSS in TLS 1.3 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
- Re: [TLS] RSA-PSS in TLS 1.3 Dang, Quynh (Fed)
- Re: [TLS] RSA-PSS in TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] RSA-PSS in TLS 1.3 Martin Rex
- Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
- Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
- Re: [TLS] RSA-PSS in TLS 1.3 Martin Rex
- Re: [TLS] RSA-PSS in TLS 1.3 Fedor Brunner
- Re: [TLS] RSA-PSS in TLS 1.3 Martin Rex
- Re: [TLS] RSA-PSS in TLS 1.3 Hubert Kario
- Re: [TLS] RSA-PSS in TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] RSA-PSS in TLS 1.3 Hannes Mehnert
- Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
- Re: [TLS] RSA-PSS in TLS 1.3 Ilari Liusvaara
- Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
- Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
- Re: [TLS] RSA-PSS in TLS 1.3 Hubert Kario
- Re: [TLS] RSA-PSS in TLS 1.3 Tony Arcieri
- [TLS] (TLS1.3 - algorithm agility support is enou… Rene Struik
- Re: [TLS] (TLS1.3 - algorithm agility support is … Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] (TLS1.3 - algorithm agility support is … Scott Fluhrer (sfluhrer)
- Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
- Re: [TLS] RSA-PSS in TLS 1.3 Hubert Kario
- Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
- Re: [TLS] RSA-PSS in TLS 1.3 Hubert Kario
- Re: [TLS] RSA-PSS in TLS 1.3 Tony Arcieri