Re: [TLS] TLS 1.3 / RSA-PSS and unusual key sizes

Tim Taubert <> Tue, 31 January 2017 08:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4F9E7120726 for <>; Tue, 31 Jan 2017 00:20:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SKsTKyPufhCN for <>; Tue, 31 Jan 2017 00:20:31 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6F456129424 for <>; Tue, 31 Jan 2017 00:20:30 -0800 (PST)
Received: by with SMTP id r141so67752294wmg.1 for <>; Tue, 31 Jan 2017 00:20:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=LQ+FV0q4gdjLenzYajWaH2HL9iqvqiColYuac2xhIu0=; b=JxnrZrZNlJ6TQUtL2jxTnQl46zl5FsskBg+aa4eNTo+jtA4pBNRY6Ge3laxXll3uB+ W/OLn3p42nCFuIH+d+mSJ8l9slFNV/AYdWMR8lOJAxMOhUgE6Czhclazd1R3fPSToU0j q6fov/Be5bII+nDA3+5tHSJqj2Z+9jhPHuYRM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=LQ+FV0q4gdjLenzYajWaH2HL9iqvqiColYuac2xhIu0=; b=EJcjT3hULrxsFPJOSHOtdkEimcWSFcrzxXXLKox8nnk8OSW0tGJczaj9OUG7k8gmV7 awTH+t7fB/EBt7oIbxxfqnWNDvCpAvA5vewa6Va5sVjI82Vs7GbpWh4lwmyIXLI/jT4s NA1DXYtxfbqRz9kjfrZkXISCmoKU5Yn6h6QQM+0x0hndS+nsOVvLzxTP64jFfwr8fSQI 9rj4uKwuR/O9sRB/30ko0vEq5sg6B0oky832eOb2sGt5bSsXUQ9rx/jW94I+vMST7Ujo mQnPd5Wz8m+fFx30xUnNM7F45JyuowUwqw1Jln/SeZtifHCuLi8bLXLDEw+iaAcdo49b sRGw==
X-Gm-Message-State: AIkVDXJ9svmeXC9WKXNgCBCbCMgl7fxIS63buWwH4L6Taui4dCVrY3vYQJkU11HhqRTQRFc6
X-Received: by with SMTP id 2mr18883180wmp.66.1485850828736; Tue, 31 Jan 2017 00:20:28 -0800 (PST)
Received: from ( []) by with ESMTPSA id p49sm26840403wrb.10.2017. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 31 Jan 2017 00:20:28 -0800 (PST)
Message-ID: <>
Date: Tue, 31 Jan 2017 09:20:26 +0100
From: Tim Taubert <>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Hanno Böck <>
References: <20170127143003.36c20329@pc1>
In-Reply-To: <20170127143003.36c20329@pc1>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [TLS] TLS 1.3 / RSA-PSS and unusual key sizes
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 31 Jan 2017 08:20:33 -0000

Hanno Böck wrote:
> Hi,
> I wanted to warn people about a potential source of bugs with the
> deployment of RSA-PSS in TLS 1.3.
> Usually the RSA key modulus is a multiple of 8 (2048, 4096 etc.).
> However there's no rule that RSA keys can't have other sizes.
> Implementing PSS with support for arbitrary key sizes is a bit more
> complicated than implementing it for multiples of 8. I wrote the PSS
> implementation of NSS as a summer of code project a couple of years ago
> and I remember that my first implementation completely failed to
> consider this. (The fix for that never got merged afair, I informed NSS
> developers about this.)

Thanks again Hanno for bringing this to our attention. We patched it
yesterday in NSS 3.29, soon to be merged into Firefox 53.

If anyone else is about to take a look, feel free to use the official
RSA-PSS vectors I converted to SPKI/PKCS8, so you don't have to:

- Tim

> Back then I also reported a bug in OpenSSL:
> Long story short: It's not unlikely that there are more PSS
> implementations having problems with this.
> So I strongly recommend that all implementors of TLS 1.3 test their
> implementations for key sizes from n*8+1 to N*8+7.
> Such keys are rare, but they do exist in the wild. If implementations
> failing on that get shipped widely we may see random unexplained errors
> when people start migrating to TLS 1.3 in masses.
> I had actually considered proposing to change TLS 1.3 in a way that
> such keys would be simply forbidden. But I did a check on the censys
> data and there were too many of them in the wild, so I thought it
> wasn't a feasible idea.