Re: [TLS] Using RSA PSS in TLS
Peter Gutmann <pgut001@cs.auckland.ac.nz> Sun, 18 January 2015 02:47 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFAB01A9140 for <tls@ietfa.amsl.com>; Sat, 17 Jan 2015 18:47:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.81
X-Spam-Level:
X-Spam-Status: No, score=-2.81 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61oV-jL8uKDZ for <tls@ietfa.amsl.com>; Sat, 17 Jan 2015 18:47:43 -0800 (PST)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20FD31A912C for <tls@ietf.org>; Sat, 17 Jan 2015 18:47:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1421549263; x=1453085263; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=jPy/LHL0Wkok1Fbr0V9fvS0Q+LupMei53keKVGhU0yU=; b=Vv45nRb3tl1ov3pkVmd0u0Cyu2zieAoBAk8Dykc3ST/2TaxBCr8k/YC8 R4OfBzgYzQLKgi38pqtWOiyMnY+TKW8PkdQJ7PTAfzhHWV4qofZQf9E+8 iiv9lQGg1SEhDAMqINahLaZE4ucGM8Wo3peOpg56Hy+n0nK/mJdNIEGmT c=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="301951152"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from uxchange10-fe4.uoa.auckland.ac.nz ([130.216.4.171]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 18 Jan 2015 15:47:39 +1300
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.148]) by uxchange10-fe4.UoA.auckland.ac.nz ([169.254.109.63]) with mapi id 14.03.0174.001; Sun, 18 Jan 2015 15:47:39 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Using RSA PSS in TLS
Thread-Index: AdAyyR9KVIrbJDYoQTaCs9oyQ1giYA==
Date: Sun, 18 Jan 2015 02:47:38 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AAF5D4AB@uxcn10-tdc05.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/C8ZtarLILvkiChtznXeXT08QXcM>
Subject: Re: [TLS] Using RSA PSS in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jan 2015 02:47:48 -0000
Watson Ladd <watsonbladd@gmail.com> writes: >RSA-OEAP has similar error oracle issues, That's one thing I noticed when I implemented it some time ago, OAEP is an absolute goldmine (or minefield) of oracles. PKCS 1.5 is just a straightforward walk-down-the-byte-string check while OAEP requires multiple complex steps to decode/check it, even with very careful ordering of the checks you do to make sure there's very little time difference between them (including deferring checks to cluster them around the same time and similar steps) you can't really create an oracle-free implementation. Peter.
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Santosh Chokhani
- [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Hanno Böck
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Santosh Chokhani
- Re: [TLS] Using RSA PSS in TLS Santosh Chokhani
- Re: [TLS] Using RSA PSS in TLS Rob Stradling
- Re: [TLS] Using RSA PSS in TLS Martin Rex
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Florian Weimer
- Re: [TLS] Using RSA PSS in TLS CodesInChaos
- Re: [TLS] Using RSA PSS in TLS Fedor Brunner
- Re: [TLS] Using RSA PSS in TLS Hanno Böck
- Re: [TLS] Using RSA PSS in TLS Hanno Böck
- Re: [TLS] Using RSA PSS in TLS Martin Rex
- Re: [TLS] Using RSA PSS in TLS Geoffrey Keating
- Re: [TLS] Using RSA PSS in TLS Watson Ladd
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Martin Rex
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann