Re: [TLS] TLS RSA-PSS and various versions of TLS
mrex@sap.com (Martin Rex) Wed, 26 April 2017 13:24 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08801129B9D for <tls@ietfa.amsl.com>; Wed, 26 Apr 2017 06:24:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.921
X-Spam-Level:
X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WtRMAXniaeK0 for <tls@ietfa.amsl.com>; Wed, 26 Apr 2017 06:24:01 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93F62129B95 for <tls@ietf.org>; Wed, 26 Apr 2017 06:24:00 -0700 (PDT)
Received: from mail07.wdf.sap.corp (mail04.sap.corp [194.39.131.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 3wCglL24tjz26rW; Wed, 26 Apr 2017 15:23:58 +0200 (CEST)
X-purgate-ID: 152705::1493213038-00002B31-A4D2BEA5/0/0
X-purgate-size: 4596
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail07.wdf.sap.corp (Postfix) with ESMTP id 3wCglL0SkczGnt2; Wed, 26 Apr 2017 15:23:58 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 06FA71A698; Wed, 26 Apr 2017 15:23:58 +0200 (CEST)
In-Reply-To: <926e3b6b-5f0c-e00a-5ba3-9a2cfcdc4e8f@drh-consultancy.co.uk>
To: Dr Stephen Henson <lists@drh-consultancy.co.uk>
Date: Wed, 26 Apr 2017 15:23:57 +0200
CC: Benjamin Kaduk <bkaduk@akamai.com>, tls@ietf.org
Reply-To: mrex@sap.com
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20170426132358.06FA71A698@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Kf1BL-ADmMqnejI3VZv3lTUI2Vc>
Subject: Re: [TLS] TLS RSA-PSS and various versions of TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 13:24:04 -0000
Dr Stephen Henson wrote: > On 25/04/2017 15:36, Benjamin Kaduk wrote: >> >> RSASSA-PSS algorithms Indicates a signature algorithm using RSASSA- >> PSS [RFC3447 <https://tools.ietf.org/html/rfc3447>] with mask generation function 1. The digest used in >> the mask generation function and the digest being signed are both >> the corresponding hash algorithm as defined in [SHS <https://tools.ietf.org/html/draft-ietf-tls-tls13-19#ref-SHS>]. When used >> in signed TLS handshake messages, the length of the salt MUST be >> equal to the length of the digest output. This codepoint is also >> defined for use with TLS 1.2. >> >> >> Is the concern that this is insufficiently clearly indicated as placing >> requirements on signatures of certificates as opposed to signatures of >> TLS data structures? > > Yes that's my concern. Supporting PSS signatures on certificates is > a mandatory requirement and I think we should be very clear about the > parameters we permit. > > The above paragraph says nothing about salt length limitations on > signatures on certificates. We could have a situation where one > implementation enforces the salt length to be equal to the digest length > (and rejects everything else) and another will allow any valid length. It has always been a terribly stupid bug that TLS started talking about signatures on certificates when negotiating TLS protocol properties, and it resulted in a few painfully broken TLSv1.2 implementations getting shipped (such as Microsoft Windows7/2008R2 through 8.1/2012R2). Please ensure that TLSv1.3 is cleaned from bogus references about requirements on signature algorithms for certificates. Signatures on certificates are created by CAs, rather than TLS endpoints, so any implementation that uses TLS protocol parameters (about TLS signature algorithms) for more than a mere cert selection hint, is actively creating interop problems while providing *NO* value. Many TLS peers will have just one suitable certificate anyway, so not even looking at certificate signatures will be the easiest to implement, most robust and perfectly secure behaviour anyway. The issue with RSA-PSS digital signatures is that they were defined with additional (unnecessary) parameters that are encoded (=hidden) in the ASN.1 AlgorithmIdentifier, and that are therefore unspecified when RSA-PSS is requested as (rsa-pss,sha-256) rather than with an ASN.1 AlgorithmIdentifier. The additional, unnecessary parameters are "saltLen" and "MaskGenerationFunction" (MGF), and the commonly-used MaskGenerationFunction (mgf1) adds yet another additional, unnecessary parameter (MGF-internal hash). In theory there is another additional, unnecessary parameter "TrailerField", which appears in the ASN.1 AlgorithmIdentifier parameter list (and in the XMLdsig encoding for RSA-PSS), but PKCS#1 v2.1 (rfc3447) essentially hardwires the Trailerfield to option TrailerfieldBC(1), internal value 0xbc. The definition of "implied" RSA-PSS parameters applies only to the "digitally-signed" signature blobs using inside the TLS protocol because these do not come with an ASN.1 AlgorithmIdentifier tag. The implied RSA-PSS paramters for TLS' digitally-signed are unrelated to RSA-PSS signatures on certificates (certificates come with explicit RSA-PSS parameters encoded in an ASN.1 AlgorithmIdentifer): Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } The original RSA-PSS AlgorithmIdentifer specification also defines a hierarchical policy concept, that is supposed to limit the kinds of signatures that can be created (verified) with a so-tagged public RSA key, and this policy is supposed to work/apply from the RootCA cert *downwards* to the leaf / end-entity cert. It seems silly trying to apply implied RSA-PSS parameter selections from the digitally-signed TLS protocol transform to the signature on the TLS end-entity cert (or worse, even to certs up the cert chain), because that would be the wrong/invalid direction. What should be spelled out, whether and how any RSA-PSS policy in the subjectPublicKeyInfo AlgorithmIdentifier of the end-entity certificate interacts with implied RSA-PSS parameters used by the TLS digitally-signed transform. In any case, the decision whether to accept a certificate should be _with_the_receiver_ (verifier / RP), and *NEVER* with the sender. -Martin
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Benjamin Kaduk
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Ilari Liusvaara
- Re: [TLS] TLS RSA-PSS and various versions of TLS Martin Rex
- [TLS] TLS RSA-PSS and various versions of TLS Timothy Jackson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Yoav Nir
- Re: [TLS] TLS RSA-PSS and various versions of TLS Martin Thomson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Ilari Liusvaara
- Re: [TLS] TLS RSA-PSS and various versions of TLS Martin Thomson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Martin Thomson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Viktor Dukhovni
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Ilari Liusvaara
- Re: [TLS] TLS RSA-PSS and various versions of TLS Martin Thomson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Hubert Kario