IETF Logo Mail Archive

Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"

Hubert Kario <hkario@redhat.com> Wed, 13 September 2017 10:55 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 713BC134210 for <tls@ietfa.amsl.com>; Wed, 13 Sep 2017 03:55:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.92
X-Spam-Level:
X-Spam-Status: No, score=-6.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZnJnqyuwt7vb for <tls@ietfa.amsl.com>; Wed, 13 Sep 2017 03:55:49 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B90EF133011 for <tls@ietf.org>; Wed, 13 Sep 2017 03:55:49 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 63E1C80F94; Wed, 13 Sep 2017 10:55:49 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 63E1C80F94
Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=hkario@redhat.com
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.223]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0D7E65FCA9; Wed, 13 Sep 2017 10:55:48 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: "tls@ietf.org" <tls@ietf.org>
Date: Wed, 13 Sep 2017 12:55:42 +0200
Message-ID: <11673774.J8OL2FLGDl@pintsize.usersys.redhat.com>
In-Reply-To: <C63A6903-6F5E-4975-A160-94312A549D79@ll.mit.edu>
References: <20170908225948.GC31695@al> <10457521.MfgfQs1Zne@pintsize.usersys.redhat.com> <C63A6903-6F5E-4975-A160-94312A549D79@ll.mit.edu>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2173801.fldrGBKkiC"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Wed, 13 Sep 2017 10:55:49 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Pv5khqR69bkrwu_rvSI9NPYFF30>
Subject: Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2017 10:55:51 -0000

On Tuesday, 12 September 2017 20:33:21 CEST Blumenthal, Uri - 0553 - MITLL 
wrote:
> >     What Stephen is pointing at, is a server certificate (End Entity
> > 
> > certificate) when using RSA-PSS public key id in the X.509 certificate can
> > have RSA-PSS parameters in the public key id or can have them omitted.
> 
> Yes. And I concur with him that it is better to omit them, 

and I'm saying that such limitation on EE certificate won't help much if you 
also support hardware tokens as they can limit supported signature schemes too

> enforcing the
> default. The default being: 
> - Hash algorithm the same as specified in Signature Algorithm
> - MGF1 hash is the same as above
> - Salt length same as digest length above

No problem with that being recommendation, but I've seen people claiming that 
some applications don't follow that salt length requirement, so I'd say it 
would cause unnecessary problems if it was set too strict
 
> >     When the parameters are present the hash is set in stone and
> >     that key can then be used to sign with one hash and one hash only -
> >     the
> > 
> > hash that is specified in certificate (and rsa-pss padding).
> 
> I think the point Stephen was making is that Signature Algorithm specifies a
> hash – and there’s no reason to use a different one for MGF1.

this is not a problem we're talking about, I don't have any kind of problem 
with MGF1 requirement to be the same as the signature hash

> >     Now, if the certificate specifies in parameters SHA384 hash and client
> >     advertises support only for SHA256 with RSA-PSS, the server should
> > 
> > switch to (e.g.) ECDSA certificate that does not have that limitation and
> > continue connection instead of aborting the connection (very bad) or
> > sending certificate which most likely will be rejected by client as not
> > understandable/unverifiable (bad).
> 
> This is a different question. The point being addressed here is that each
> certificate is internally consistent, using the same hash for all the
> purposes within that certificate.

and what you're talking about is a non-issue. Binding MGF1 hash with signature 
hash is sensible and unlikely to cause problems.
 
> If the server’s certificate is signed with SHA384, so be it. There’s no
> reason for a client to not support SHA384 *for signature verification*, as
> hardware token restrictions shouldn’t apply here – it’s software-based
> validation.

I'm talking about subjectPublicKeyInfo field, *not* about signatureAlgorithm 
field from RFC 3280

and there are clients that advertise only a subset of hashes:
https://www.ssllabs.com/ssltest/viewClient.html?
name=Safari&version=6&platform=iOS%206.0.1&key=33
 
> >     What I've added is that that limitation may not come from the
> > 
> > certificate but may come from the cryptographic module (software or
> > hardware) that implements rsa-pss with just one or two hashes,
> > irrespective
> > of rsa-pss parameters in the certificate public key id.
> 
> The cryptographic module would perform RSA-PSS *signature* with whatever
> hashes it can. It won’t bother with *validation*, so this module’s
> limitations shouldn’t matter.

but it can't perform that signature using hash 
*that the client didn't advertise*

> >     So, I'm not sure what hash you are suggesting should be "the same
> >  everywhere".
> 
> Within one certificate – one hash. I.e., *no* SHA512 in Signature Algorithm,
> SHA384 for message hash in SHA384-RSA-PKCS-PSS, SHA256 for MGF1.

There are four places in which different hashes can be in a certificate:
 subjectPublicKeyInfo.algorithm.parameters.hashAlgorithm
 subjectPublicKeyInfo.algorithm.parameters.maskGenAlgorithm
 signatureAlgorithm.algorithm.parameters.hashAlgorithm
 signatureAlgorithm.algorithm.parameters.maskGenAlgorithm

Now, because the subjectPublicKeyInfo is chosen by the person generating the 
key (user) and signatureAlgorithm is chosen by the CA, and it is quite common 
already that e.g. a P-384 CA signs with SHA384 a P-256 intermediate CA that 
then signs EE with a SHA-256. I really don't think that *all* hashes should be 
the same.

How exactly using more secure parameters for longer lived keys is a bad idea?

> >     I'm quite sure you're not suggesting that we should limit TLS 1.3 to
> > SHA256 only (no SHA384 or SHA512), are you?
> 
> Oh no – I’m eccentric but not quite insane yet. ;-)

well, we do work on ASN.1 stuff... ;)
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

v2.23.0 | Report a Bug | By Email