Re: [TLS] RSA-PSS in TLS 1.3

Watson Ladd <watsonbladd@gmail.com> Tue, 01 March 2016 18:26 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C45E71B37D8 for <tls@ietfa.amsl.com>; Tue, 1 Mar 2016 10:26:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 13tFwiZWYiHK for <tls@ietfa.amsl.com>; Tue, 1 Mar 2016 10:26:45 -0800 (PST)
Received: from mail-vk0-x229.google.com (mail-vk0-x229.google.com [IPv6:2607:f8b0:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79CCB1B34C1 for <tls@ietf.org>; Tue, 1 Mar 2016 10:26:37 -0800 (PST)
Received: by mail-vk0-x229.google.com with SMTP id e185so176686410vkb.1 for <tls@ietf.org>; Tue, 01 Mar 2016 10:26:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=vQXkITl3Qd3tyu01tbT+zAJ3EnvKax3e7qj++B5OeEs=; b=RPd32DLrj6eu7SL15wu/tlI5cB6iu9WxDSt5l1rF59sTBQl+c3ut7WIDGVQLYXwThA e7tk6ReqgUdBXTnwB1qy8gQnHQ2bYMryWlLfFnO825GrFsJ3CEIfP0TplzgJqtA1GEMq u02UjTOJySRJOGR61/lA7h1mtchMT11m+x54fNJH/I/icuSRlcD1rz4dsH8fZNWitnai +DoNHZomWKPLJsnbpoyNqxdysDS2ITIugQSZNdlY//TC908pCNR5k5ShdBapMMN1wEUN kGx4T3CiixW56rlFeH8YrKgc9ChDcGEls3nzAUQcAHiMN5yfbtObsjBfWuXRUmX40Nte Ae3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=vQXkITl3Qd3tyu01tbT+zAJ3EnvKax3e7qj++B5OeEs=; b=YGjegcRZP8cgOUerjBLIpAh6zY5gPEZM8zUKI2THRdMfIKtPxXtUri/ldqdlfU5twb rM69IxDnathhUZsp+1qJUK1PuirD3KfU8iCXV+FbXZEGfIkYH2ub4JtAGTc5D6VRTGI5 44PNaD/2rbc3scQk7TD+eDLnQo7CV+u0ZWcSoorrNOeTPbtlFm4Yq9HoKLUH2ZqwBNyj +DnCjDytzalSRgvtnVpucJeXm1PETRf/sgCOMFqCSRNjev0ekBxP/mxy788zTHXNCQNg /grFAYtN/IAJ4MEglctdLYLAyYdMuyheIH9/F9aHMvRDL24jlqI9KRBnhKGTKd6W/719 mo1w==
X-Gm-Message-State: AD7BkJKwm/iFj0kx6cTw8w1QHmaVpytA8tFN1eAkLG6YF9DVnHTM4nBfDdUxIkfqyZS/3AU5FwBJRdVndeV/Jg==
MIME-Version: 1.0
X-Received: by 10.31.162.3 with SMTP id l3mr17088284vke.68.1456856796517; Tue, 01 Mar 2016 10:26:36 -0800 (PST)
Received: by 10.176.1.183 with HTTP; Tue, 1 Mar 2016 10:26:35 -0800 (PST)
Received: by 10.176.1.183 with HTTP; Tue, 1 Mar 2016 10:26:35 -0800 (PST)
In-Reply-To: <56D5DE1D.3000708@akr.io>
References: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com> <56D4ABAD.90902@brainhub.org> <20160229233617.5466ebd3@pc1> <56D51FFB.9050909@brainhub.org> <DE710794-CA42-48E1-9AB9-A2BE2899E071@gmail.com> <56D5DE1D.3000708@akr.io>
Date: Tue, 1 Mar 2016 10:26:35 -0800
Message-ID: <CACsn0c=BOOf9z0fASaE_D_Nv1Bbck3bRj_JDZZaHnk-5d5x0LQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Alyssa Rowan <akr@akr.io>
Content-Type: multipart/alternative; boundary=001a114406ead85b6f052d00e7ba
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/BWKO6Y8uW1Jm7zxtHkH_GeKkigE>
Cc: tls@ietf.org
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2016 18:26:46 -0000

On Mar 1, 2016 10:23 AM, "Alyssa Rowan" <akr@akr.io> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 2016-03-01 11:35, Yoav Nir wrote:
>
> >>> [HB] We have an RFC for PSS since 2003. We had several attacks
> >>> showing the weakness of PKCS #1 1.5.
>
> And so (maybe not entirely coincidentally!): another attack, dubbed
> DROWN, just emerged¹, using SSLv2 as - you guessed it - a
> Bleichenbacher padding oracle against RSA PKCS#1 v1.5!

PSS doesn't help against Bleichenbacher attacks on encryption. The attack
still can compute a private key operation.

What we really need is key seperation or use of ECC certs only.

>
> (Please do stop me if you've heard this one before! <g>)
>
> >> [AJ] Why not ban PKCS #1.5 altogether from TLS 1.3? It will not
> >> only make TLS 1.3 more secure, but code simpler and footprint
> >> smaller. Besides, it's reasonable: TLS 1.2 already allows PSS in
> >> X.509
>
> A very strong +1 as far as I'm concerned.
>
> > [YN] It would be cool to ban PKCS#1.5 from certificates, but we
> > are not the PKIX working group. Nor are we the CA/Browser forum.
> > When a CA issues a certificate it has to work with every client
> > and server out there, When we use TLS 1.3, the other side supports
> > TLS 1.3 as well, so it’s fair to assume that it knows PSS.
>
> Perhaps the PKIX working group and CAB/Forum could both use a friendly
> reminder not to ignore how perilous using RSA PKCS#1 v1.5 still remains?
> ___
> [1] <https://drownattack.com/drown-attack-paper.pdf>
>
> - --
> /akr
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJW1d4SAAoJEOyEjtkWi2t6kIQP/2Ziaeu2RGqHqV1Oa6dB0+Go
> iPbrrHe9C7l7yHxWfhur6ldGUnqAKyzhD5X0RHby0lbpXTcBFQjWPQ3shZE8CUV2
> mM4N2UyoAu5w1kOkSvHImeWrtdOPDTBTZhwFJjzEHtLkri6+CXzKE82B94WfhX8/
> ddQxg9uaV7eDEcW4um+vn0NG/+IuiJvfVTX7YtNj0yVSvEO7bm6/WRHsWV0FaQ+C
> HtNawk+KP966PLUPH1N6vBvhNpiZkMtv3QUsKbzAQDn8SPfXHWGy2CBxPLjtIv2w
> dTmY9dOxJsc7KswtM7DJQqx7azgeGAlLc8MV1PyXw1fIq2qtVI4Fk1+DNrMteC5B
> cNkez/nPwR01FFj3QV5OnbpcqIX1v9nmGrpDuFw+99xcMjgRrSRc3boclV8/H0PA
> k8XllkgmXj75TkqSkPV1YXVwOJAT65Uwke7tKHf4TwXSwz+qZVji+y8ZqZ7ACs2/
> Pp3IrlNLuJUmFjE+p8zhhEQU6fQjEdkAxT/3KY8/1nKxlXByFVHu1p1jZk7aWBtw
> aSEDLCI4XKKAJ118yXRtHXxA7LGNujsBYCoSp1A4Rkce57Ea7iuVd4pmctbMgiTA
> g3UAb7cE4NflzRyQd1Gbycu6wenovj9bOD4HRdTuADRdfGpXv8HMEG+eOUuE7DHx
> Af4y+IDpfW7HTraWjiKX
> =iX03
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls