IETF Logo Mail Archive

Re: [TLS] PR to clarify RSASSA-PSS requirements

Hubert Kario <hkario@redhat.com> Wed, 22 November 2017 13:45 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43751129447 for <tls@ietfa.amsl.com>; Wed, 22 Nov 2017 05:45:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ckq-ikuLBl8c for <tls@ietfa.amsl.com>; Wed, 22 Nov 2017 05:45:27 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84A2E1200FC for <tls@ietf.org>; Wed, 22 Nov 2017 05:45:27 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1D4B7883BE; Wed, 22 Nov 2017 13:45:27 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.223]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DC3695EE1E; Wed, 22 Nov 2017 13:45:24 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Wed, 22 Nov 2017 14:45:17 +0100
Message-ID: <2262437.LnmhgzYEf9@pintsize.usersys.redhat.com>
In-Reply-To: <20171122121558.GF18321@al>
References: <20171122035404.GC18321@al> <1511340124.22935.27.camel@redhat.com> <20171122121558.GF18321@al>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2415715.2mRxGMS3kh"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Wed, 22 Nov 2017 13:45:27 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HBP5XWfW4PV76wDdE6NBSnXDmN0>
Subject: Re: [TLS] PR to clarify RSASSA-PSS requirements
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Nov 2017 13:45:30 -0000

On Wednesday, 22 November 2017 13:15:58 CET Peter Wu wrote:
> Hi Nikos,
> 
> On Wed, Nov 22, 2017 at 09:42:04AM +0100, Nikos Mavrogiannopoulos wrote:
> > On Wed, 2017-11-22 at 03:54 +0000, Peter Wu wrote:
> > > Hi,
> > > 
> > > At the moment there is still ambiguity in the requirements for PSS
> > > with
> > > relation to certificates. Proposal to clarify this:
> > > https://github.com/tlswg/tls13-spec/pull/1098
> > > 
> > > 
> > > This PR intends to clarify the requirements for PSS support.
> > 
> > Hi,
> > 
> >  I commented on the PR, but to provide more context. I believe RSA-PSS
> > 
> > keys without parameters MUST be supported under TLS1.3. The reason is
> > that keys explicitly marked as RSA-PSS cannot be used for RSA PKCS#1
> > 1.5 encryption, and thus they provide a way for the server to know that
> > it must protect that key against (cross-protocol) attacks which utilize
> > RSA ciphersuites under TLS1.2.
> > 
> > On why you don't want mixing keys for TLS1.3 and TLS1.2 RSA
> > ciphersuites, see all the bleichenbacher attack reiterations over the
> > years.
> > 
> > So what about distinguishing the RSA-PSS keys with and without
> > parameters:
> > 
> > "an RSASSA-PSS public key (OID id-RSASSA-PSS) without parameters MUST
> > be supported, while an RSASSA-PSS public key (OID id-RSASSA-PSS) with
> > parameters MAY be supported`."
> 
> In my understanding, the parameters are REQUIRED (cannot be NULL), but
> an "empty" DER encoding means that the default parameters are used
> (SHA-1, MFG1 with SHA-1, salt length equal to SHA-1 output (20), default
> trailer) per https://tools.ietf.org/html/rfc8017#page-75

No, when the parameters are completely omitted (the 
AlgorithmIdentifier.parameters is completely omitted in the SEQUENCE of 
AlgorithmIdentifier), that means that the key is unrestricted and can be used 
with arbitrary hashes and salt lengths (just like a rsaEncryption key).
If the AlgorithmIdentifier.parameters is present but empty (empty SEQUENCE in 
DER), that means that all parameters are restricted and have default 
parameters (sha1, 20 byte salt).

RFC 5756 is a bit more explicit on requirements for EE and CA certificates:
   When the id-RSASSA-PSS object identifier appears in the
   TBSCertificate subjectPublicKeyInfo algorithm field of CA
   certificates, then the parameters field SHOULD include the RSASSA-
   PSS-params structure.  When the id-RSASSA-PSS object identifier
   appears in the TBSCertificate subjectPublicKeyInfo algorithm field of
   EE certificates, then the parameters field MAY include the RSASSA-
   PSS-params structure.

The unrestricted EE keys should be supported, and I would even go as far as 
specifying that in TLS1.3 RSA-PSS EE certs MUST be unrestricted.
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

v2.23.0 | Report a Bug | By Email