Re: [TLS] RSA-PSS in TLS 1.3

Hanno Böck <hanno@hboeck.de> Mon, 29 February 2016 18:00 UTC

Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72B4A1B3924 for <tls@ietfa.amsl.com>; Mon, 29 Feb 2016 10:00:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.898
X-Spam-Level: *
X-Spam-Status: No, score=1.898 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A5tID4rBxXGE for <tls@ietfa.amsl.com>; Mon, 29 Feb 2016 10:00:25 -0800 (PST)
Received: from zucker.schokokeks.org (zucker.schokokeks.org [178.63.68.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76F9C1B3918 for <tls@ietf.org>; Mon, 29 Feb 2016 10:00:25 -0800 (PST)
Received: from pc1 (0x3ec7a9e1.inet.dsl.telianet.dk [::ffff:62.199.169.225]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 128bits, ECDHE-RSA-AES128-GCM-SHA256) by zucker.schokokeks.org with ESMTPSA; Mon, 29 Feb 2016 19:00:22 +0100 id 00000000000000A4.0000000056D48736.000078B8
Date: Mon, 29 Feb 2016 19:00:21 +0100
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hboeck.de>
To: tls@ietf.org
Message-ID: <20160229190021.59516808@pc1>
In-Reply-To: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com>
References: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-30904-1456768822-0001-2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/L6djrx9rulwySbMvPhQLX_ZnwGI>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Feb 2016 18:00:27 -0000

On Mon, 29 Feb 2016 09:32:04 -0800
Joseph Salowey <joe@salowey.net> wrote:

> We make RSA-PSS mandatory to implement (MUST implement instead of MUST
> offer).   Clients can advertise support for PKCS-1.5 for backwards
> compatibility in the transition period.
> Please respond on the list on whether you think this is a reasonable
> way forward or not.

I recently already saw the message here asking for PKCS #1 1.5
compatibilty and was quite angry about it, but as there wasn't much
discussion I thought this issue would go away. It seems it did not.

RSA-PSS was specified as RFC 3447 in 2003. That was 13 years ago.

Therefore we can conclude:
* Whoever created that hardware implementation either did so more than
  13 years ago (probably unlikely) or deliberately created hardware
  crypto with sub-standard algorithm support.
* This can mean a couple of things:
a) The hardware vendor knew about it and expected that they could
prevent a move to RSA-PSS by lobbying standardization bodies (this is
what they seem to do right now). In this case they deliberately want to
weaken security and that behavior should not be encouraged.
b) They didn't know about RFC 3447. That probably means they shouldn't
develop crypto products at all.
c) Something else?
whatever the reason was, I can't find any reason I would find in any
way acceptable. I think the TLS working group should not encourage such
vendor behavior. Instead I think the opposite should happen: A clear
statement that deploying sub-standard crypto technologies isn't
acceptable and whoever does it has to expect breakage in the future.

TLS suffered a lot in the past from misguided attempts to provide
backwards compatiblity to weak algorithms. Most of the fancy
named vulns in the past years can somehow be traced back to this
problem.

PKCS #1 1.5 is a real problem. The last PKCS #1 1.5 signature related
vuln that could've been prevented by using RSA-PSS was found 2 months
ago [1]. The last one in a major implementation (BERserk) was in 2014.

tl;dr: I don't think supporting PKCS #1 1.5 in TLS 1.3 is reasonable.
Let's not repeat the mistakes from the past.

[1]
https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42