Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA
mrex@sap.com (Martin Rex) Mon, 08 August 2016 12:55 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5362A126D74 for <tls@ietfa.amsl.com>; Mon, 8 Aug 2016 05:55:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.922
X-Spam-Level:
X-Spam-Status: No, score=-6.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l3sd1eOiYGjP for <tls@ietfa.amsl.com>; Mon, 8 Aug 2016 05:55:18 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F27D312B004 for <tls@ietf.org>; Mon, 8 Aug 2016 05:55:17 -0700 (PDT)
Received: from mail06.wdf.sap.corp (mail06.sap.corp [194.39.131.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 3s7HSg2gTgz25P1; Mon, 8 Aug 2016 14:55:15 +0200 (CEST)
X-purgate-ID: 152705::1470660915-00007F13-E4040081/0/0
X-purgate-size: 1368
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail06.wdf.sap.corp (Postfix) with ESMTP id 3s7HSf62YnzkxT4; Mon, 8 Aug 2016 14:55:14 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id C83D71A51C; Mon, 8 Aug 2016 14:55:14 +0200 (CEST)
In-Reply-To: <20160806235716.726a0e4e@pc1>
To: Hanno Böck <hanno@hboeck.de>
Date: Mon, 08 Aug 2016 14:55:14 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20160808125514.C83D71A51C@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/CEn2okzyXbxow6DsrqS_WzcG-Xc>
Cc: tls@ietf.org
Subject: Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Aug 2016 12:55:20 -0000
Hanno Böck wrote: > > Actually there is some info on that in the PSS spec [1]. What I write > here is my limited understanding, but roughly I'd interpret it as this: > It says that if you use a non-random salt the security gets reduced to > the security of full domain hashing, which was kinda the predecessor of > PSS. > I'd conclude from that that even in a situation where the salt > generation is a non-random value nothing really bad happens. The > security of a PSS scheme without randomness is still better than that > of a PKCS #1 1.5 signature. The urban myth about the advantages of the RSA-PSS signature scheme over PKCS#1 v1.5 keep coming up. It has been mentioned here before: Fedor Brunner wrote on 4 Mar 2016 17:45:19: > > Please see the paper "Another Look at ``Provable Security''" from Neal > Koblitz and Alfred Menezes. > > https://eprint.iacr.org/2004/152 > > Section 7: Conclusion > > "There is no need for the PSS or Katz-Wang versions of RSA; > one might as well use just the basic ?hash and exponentiate? signature > scheme (with a full-domain hash function)." The advantages of the RSA-PSS signature scheme are limited to situations where the rightful owner of the private signing key is not supposed to have access to the bits of the private key (i.e. key kept in hardware). -Martin
- Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA Martin Rex
- Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA Tony Arcieri
- Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA Tony Arcieri
- Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA Martin Rex
- Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA Peter Gutmann
- Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA Tony Arcieri
- Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA Brian Smith
- Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA Nikos Mavrogiannopoulos
- Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA Salz, Rich
- Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA Martin Rex
- Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA Brian Smith
- Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA Rene Struik
- Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA Hanno Böck
- [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA Brian Smith