Re: [TLS] RSA-PSS in TLS 1.3

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 01 March 2016 18:38 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BFC21B3F98 for <tls@ietfa.amsl.com>; Tue, 1 Mar 2016 10:38:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qt_N6Dt5uETF for <tls@ietfa.amsl.com>; Tue, 1 Mar 2016 10:38:18 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43B641B3F94 for <tls@ietf.org>; Tue, 1 Mar 2016 10:38:18 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 1CDF0284AED; Tue, 1 Mar 2016 18:38:17 +0000 (UTC)
Date: Tue, 1 Mar 2016 18:38:17 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20160301183816.GH12869@mournblade.imrryr.org>
References: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com> <56D4ABAD.90902@brainhub.org> <20160229233617.5466ebd3@pc1> <56D51FFB.9050909@brainhub.org> <DE710794-CA42-48E1-9AB9-A2BE2899E071@gmail.com> <56D5DE1D.3000708@akr.io> <CACsn0c=BOOf9z0fASaE_D_Nv1Bbck3bRj_JDZZaHnk-5d5x0LQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CACsn0c=BOOf9z0fASaE_D_Nv1Bbck3bRj_JDZZaHnk-5d5x0LQ@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/DwCVPN83Zq9I_CnEvyO6F6qvCzU>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2016 18:38:20 -0000

On Tue, Mar 01, 2016 at 10:26:35AM -0800, Watson Ladd wrote:

> > And so (maybe not entirely coincidentally!): another attack, dubbed
> > DROWN, just emerged¹, using SSLv2 as - you guessed it - a
> > Bleichenbacher padding oracle against RSA PKCS#1 v1.5!
> 
> PSS doesn't help against Bleichenbacher attacks on encryption. The attack
> still can compute a private key operation.

Yes, fortunately TLS 1.3 eliminates RSA key transport.  Otherwise,
for key transport we'd want OAEP rather than PSS.

Still, even though DROWN does not attack RSA signatures, we cannot
say that ongoing use of PKCS#1 v1.5 signatures is particularly
wise.

    http://www.automatednetworkedstorage.biz/emc-plus/rsa-labs/historical/raising-standard-rsa-signatures-rsa-pss.htm

    Burt Kaliski, RSA Laboratories
    February 26, 2003

    Executive Summary

    RSA-PSS is a new signature scheme that is based on the RSA
    cryptosystem and provides increased security assurance. It was
    added in version 2.1 of PKCS #1.

    While the traditional and widely deployed PKCS #1 v1.5 signature
    scheme is still appropriate to use, RSA Laboratories encourages
    a gradual transition to RSA-PSS as new
    applications are developed.

So the question is how "gradual" we want the transition to be.  If
v1.5 is negotiable, in TLS 1.3, we're looking at another decade or
two, perhaps by then QC will make RSA obsolete?

-- 
	Viktor.