Re: [TLS] Using RSA PSS in TLS

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sun, 18 January 2015 02:47 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFAB01A9140 for <tls@ietfa.amsl.com>; Sat, 17 Jan 2015 18:47:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.81
X-Spam-Level:
X-Spam-Status: No, score=-2.81 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61oV-jL8uKDZ for <tls@ietfa.amsl.com>; Sat, 17 Jan 2015 18:47:43 -0800 (PST)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20FD31A912C for <tls@ietf.org>; Sat, 17 Jan 2015 18:47:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1421549263; x=1453085263; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=jPy/LHL0Wkok1Fbr0V9fvS0Q+LupMei53keKVGhU0yU=; b=Vv45nRb3tl1ov3pkVmd0u0Cyu2zieAoBAk8Dykc3ST/2TaxBCr8k/YC8 R4OfBzgYzQLKgi38pqtWOiyMnY+TKW8PkdQJ7PTAfzhHWV4qofZQf9E+8 iiv9lQGg1SEhDAMqINahLaZE4ucGM8Wo3peOpg56Hy+n0nK/mJdNIEGmT c=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="301951152"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from uxchange10-fe4.uoa.auckland.ac.nz ([130.216.4.171]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 18 Jan 2015 15:47:39 +1300
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.148]) by uxchange10-fe4.UoA.auckland.ac.nz ([169.254.109.63]) with mapi id 14.03.0174.001; Sun, 18 Jan 2015 15:47:39 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Using RSA PSS in TLS
Thread-Index: AdAyyR9KVIrbJDYoQTaCs9oyQ1giYA==
Date: Sun, 18 Jan 2015 02:47:38 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AAF5D4AB@uxcn10-tdc05.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/C8ZtarLILvkiChtznXeXT08QXcM>
Subject: Re: [TLS] Using RSA PSS in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jan 2015 02:47:48 -0000

Watson Ladd <watsonbladd@gmail.com> writes:

>RSA-OEAP has similar error oracle issues,

That's one thing I noticed when I implemented it some time ago, OAEP is an
absolute goldmine (or minefield) of oracles.  PKCS 1.5 is just a
straightforward walk-down-the-byte-string check while OAEP requires multiple
complex steps to decode/check it, even with very careful ordering of the
checks you do to make sure there's very little time difference between them
(including deferring checks to cluster them around the same time and similar
steps) you can't really create an oracle-free implementation.

Peter.