Re: [TLS] Using RSA PSS in TLS

Hanno Böck <hanno@hboeck.de> Mon, 14 October 2013 08:49 UTC

Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C60321F9D2E for <tls@ietfa.amsl.com>; Mon, 14 Oct 2013 01:49:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RGjtgUYJxiPn for <tls@ietfa.amsl.com>; Mon, 14 Oct 2013 01:49:42 -0700 (PDT)
Received: from zucker.schokokeks.org (zucker.schokokeks.org [178.63.68.96]) by ietfa.amsl.com (Postfix) with ESMTP id 50E1721F9DAA for <tls@ietf.org>; Mon, 14 Oct 2013 01:49:27 -0700 (PDT)
Received: from pc (91-64-48-143-dynip.superkabel.de [::ffff:91.64.48.143]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 128bits, AES128-GCM-SHA256) by zucker.schokokeks.org with ESMTPSA; Mon, 14 Oct 2013 10:49:26 +0200 id 00000000000000E9.00000000525BB016.00006D56
Date: Mon, 14 Oct 2013 10:49:12 +0200
From: Hanno Böck <hanno@hboeck.de>
To: Johannes Merkle <johannes.merkle@secunet.com>
Message-ID: <20131014104912.7b19bd93@pc>
In-Reply-To: <525BADBD.8020007@secunet.com>
References: <525BADBD.8020007@secunet.com>
X-Mailer: Claws Mail 3.9.2-dirty (GTK+ 2.24.21; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg="PGP-SHA512"; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-27990-1381740566-0001-2"
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Using RSA PSS in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Oct 2013 08:49:47 -0000

On Mon, 14 Oct 2013 10:39:25 +0200
Johannes Merkle <johannes.merkle@secunet.com> wrote:

> While the current discussion on this list is about ECC, I would like
> to raise the question if it were not desirable to allow usage of
> provably secure RSA-PSS signatures from PKCS#1v2.1 in TLS.
> 
> Of course, an issue with this idea is that, if we replace DHE_RSA and
> ECDHE_RSA with DHE_PSS and ECDHE_PSS, we end up with a whole bunch of
> new cipher suites. An alternative could be a new extension signaling
> the RSA version used (with PKCS#1v1.5 as default).

Why would you want to allow RSA in non-PSS-mode at all? And why on
earth would you want to make the less secure PKCS#1v1.5 the default?
There's simply zero advantage of PKCS#1v1.5 over PSS, except for legacy
compatibility. But as PKCS#1v2.1 is now out eleven years, we could just
start using it.

I'd say: Preferrably with the next TLS version RSA should simply be
switched to PSS.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42