Re: [TLS] PSS for TLS 1.3

Brian Smith <brian@briansmith.org> Mon, 23 March 2015 01:53 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8339F1A8761 for <tls@ietfa.amsl.com>; Sun, 22 Mar 2015 18:53:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IbnJbOXo1Z17 for <tls@ietfa.amsl.com>; Sun, 22 Mar 2015 18:53:40 -0700 (PDT)
Received: from mail-oi0-f47.google.com (mail-oi0-f47.google.com [209.85.218.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C86F31A875E for <tls@ietf.org>; Sun, 22 Mar 2015 18:53:40 -0700 (PDT)
Received: by oiag65 with SMTP id g65so129735689oia.2 for <tls@ietf.org>; Sun, 22 Mar 2015 18:53:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=CVdfVslWNQRrCxHl7YP5KHP1nnkRxT6Az/ION12ABxw=; b=gLgHCM20xB+Hkc+FsxyPeZ1G7FD1HiZauaLrgUWWB1tLSdUMXCXgO1uhOxeO+DN3Qk SPvrWxGh72f7btJQJCwMzweVv++bNkUId0w+9xSV+nY02rCmlF6fqJHxsoe1QuiOIRbR 29kP39RvqRARjuapnKcKx+cR6v/4tQ7/YGLvWv58VlL8uDJo1dVLBqlvSDDOXkWGFptX ORyAE7D6gNA3Z7oW6zFwZwNGj9yhc5WsyS6TolHE06fTfZIxQG38wq2FDdExk6uS2zje uUF2Q4cl1cKi2fIMMXQ7PzoW7aZD4tB2+bKNMpi6MMKMAyMn0OrCSse8GHtq97BP3fh+ l1sg==
X-Gm-Message-State: ALoCoQlMYPF7trtyB2DiiLNRhaoBJYlQRNrR2cAjY74/kaan6MGFQrgp5xEswGwTPQi5b8tcd69E
MIME-Version: 1.0
X-Received: by 10.60.82.10 with SMTP id e10mr15381045oey.85.1427075620216; Sun, 22 Mar 2015 18:53:40 -0700 (PDT)
Received: by 10.76.144.105 with HTTP; Sun, 22 Mar 2015 18:53:40 -0700 (PDT)
In-Reply-To: <CABcZeBOeoyggJfma8rvyeRrh6Dw+oSp5P-oUG0MR3ZprBOyUPQ@mail.gmail.com>
References: <CABcZeBOeoyggJfma8rvyeRrh6Dw+oSp5P-oUG0MR3ZprBOyUPQ@mail.gmail.com>
Date: Sun, 22 Mar 2015 15:53:40 -1000
Message-ID: <CAFewVt6GN0pxRRpKa+Yxg9AcEX8n9gymoh_RqdefAav1OP-eiA@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/BtJer4yKeigyPuac4tjC2eUhi3Y>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PSS for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 01:53:42 -0000

Eric Rescorla <ekr@rtfm.com> wrote:
> Obviously, if we want to move to PSS, option #2 is simplest, but
> the sentiment at the interim was to survey the WG to see whether
> there was widespread enough support for generating and verifying
> PSS to make this feasible [0].

PSS with which parameters?

My suggestion is that, if PSS is used, (SHA-256, MGF-SHA-256, 32-byte
salt) should be used with the SHA-256-based PRF and that (SHA-384,
MGF-SHA-384, 48-byte salt) should be used with the SHA-384-based PRFs.

[1] notes that there is a security advantage to using the same digest
function for the MGF as was used for digesting the signed data. It
would be a mistake to mandate support for MGF-SHA-1 in PSS signatures
in TLS 1.3, because a TLS 1.3 implementation shouldn't be need to
implement SHA-1 at all.

Some implementations are hard-coded to support only MGF-SHA-1 and 20
byte salts. It is better to require those implementations to be
updated than to require all implementations to implement SHA-1 just
for the MGF.

Cheers,
Brian

[1] https://tools.ietf.org/html/rfc3447#section-8.1