Re: [TLS] RSA-PSS in TLS 1.3

Hanno Böck <hanno@hboeck.de> Tue, 01 March 2016 20:45 UTC

Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 078621B4183 for <tls@ietfa.amsl.com>; Tue, 1 Mar 2016 12:45:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BEZ5XDeAgaeX for <tls@ietfa.amsl.com>; Tue, 1 Mar 2016 12:45:10 -0800 (PST)
Received: from zucker.schokokeks.org (zucker.schokokeks.org [178.63.68.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AD371B4181 for <tls@ietf.org>; Tue, 1 Mar 2016 12:45:09 -0800 (PST)
Received: from pc1 (0x3ec7b91c.inet.dsl.telianet.dk [::ffff:62.199.185.28]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 128bits, ECDHE-RSA-AES128-GCM-SHA256) by zucker.schokokeks.org with ESMTPSA; Tue, 01 Mar 2016 21:45:06 +0100 id 00000000000000A4.0000000056D5FF52.00004841
Date: Tue, 1 Mar 2016 21:45:06 +0100
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hboeck.de>
To: tls@ietf.org
Message-ID: <20160301214506.639ee3d4@pc1>
In-Reply-To: <56D5DE1D.3000708@akr.io>
References: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com> <56D4ABAD.90902@brainhub.org> <20160229233617.5466ebd3@pc1> <56D51FFB.9050909@brainhub.org> <DE710794-CA42-48E1-9AB9-A2BE2899E071@gmail.com> <56D5DE1D.3000708@akr.io>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-18497-1456865107-0001-2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/TBDtVFmFBzNpEiaguZjyrR4PCHs>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2016 20:45:12 -0000

On Tue, 1 Mar 2016 18:23:25 +0000
Alyssa Rowan <akr@akr.io> wrote:

> And so (maybe not entirely coincidentally!): another attack, dubbed
> DROWN, just emerged¹, using SSLv2 as - you guessed it - a
> Bleichenbacher padding oracle against RSA PKCS#1 v1.5!

To be fair, the issues surrounding RSA encryption are different ones
than the ones about RSA signatures.
We already agreed to deprecate RSA encryption entirely. Therefore DROWN
is irrelevant for the discussion here.

(What causes often confusion is that Daniel Bleichenbacher is
responsible for *two* major and completely unrelated attacks against
RSA PKCS #1 1.5, one against encryption and one against - badly
implemented - signatures)

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42