[TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

Brian Smith <brian@briansmith.org> Sun, 07 August 2016 04:54 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B9CD12D15F for <tls@ietfa.amsl.com>; Sat, 6 Aug 2016 21:54:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3BXJLPMvdB41 for <tls@ietfa.amsl.com>; Sat, 6 Aug 2016 21:54:58 -0700 (PDT)
Received: from mail-it0-x229.google.com (mail-it0-x229.google.com [IPv6:2607:f8b0:4001:c0b::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 109BC120727 for <tls@ietf.org>; Sat, 6 Aug 2016 21:54:57 -0700 (PDT)
Received: by mail-it0-x229.google.com with SMTP id u186so51516722ita.0 for <tls@ietf.org>; Sat, 06 Aug 2016 21:54:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=UJ0AeF2U8PvvvUffOEiMbRT6yJMx31QfnAvIBcJyZRk=; b=jILzVrbWp1ZAR9x0XgsJwut5D7aybSctkRNVWdRypKBQDAXkCPk8owTqQxEhTfbUxv GtAC+U+0Uf1eJTgrekzZ9+LMMSU5P3nBGe2jcGChmNflHWi1fHfyBSs6XjNXZ98h8b4O ts3oZOMJX8YDUWmya8Q2wPaUgW+gtYAikNN7R12gZbAdLk8Agn0EI8YnAfOM/zrVFyXq D1s1v/6AWN+uLs2gDDvV9gJrlX0p4HiE3rdZAvz5w5jIHASJr5ErHwaS8KVdEjxfLL2k y6mQEGZV8JDrxnQ9rY4yNBXAP5FKzxsnBZU+Xb1E4Aw3b1tppTkzf2OhntfPOj+vBGuf BX4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=UJ0AeF2U8PvvvUffOEiMbRT6yJMx31QfnAvIBcJyZRk=; b=Of1dnp4FwGYeSse5umB2reHX3aWh0f7xY+Vytmiao2hWAW3r/amAYt5ejUPgojWxbZ iTH3Rc6762sZ6GTbYS35sP/IiOx7SgFs+Wakvf1QzuBXZ2ryhnqgm0ZWQsbKsYQ6nL9W ea8aHs9bKuBW0qqSuTAfopy79/rvNgeoXwodBHmNBdov9lnlLu/TC8AQkexCRl1AL/Hi PPSaFiKNsJsB4WKs3cTrZx8yEnWpuopiYegJgj4ietMt4o49pYsF8uDpwYI1lTj+Ue80 //qqg518zuzyVWEd/erBsBSt/t1xOm81fFqzDx7sBEhQys3U40hVWuvvh6L2RvUvIjlj LuYA==
X-Gm-Message-State: AEkoouvMqlhGW4dMoJ8Xa6gTBWfI82IJWHsGsrg1yaOcv1VQmanuSAOC9vlbxcOTkVdAFuucWjHDhcVpGBGb+Q==
X-Received: by 10.36.202.199 with SMTP id k190mr12949618itg.36.1470545696925; Sat, 06 Aug 2016 21:54:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.74.73 with HTTP; Sat, 6 Aug 2016 21:54:56 -0700 (PDT)
From: Brian Smith <brian@briansmith.org>
Date: Sat, 6 Aug 2016 18:54:56 -1000
Message-ID: <CAFewVt5CyooWhOWHwD+sLv9qVqS8YQJMnFLRFbLZtJVVDF6RvQ@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VQGJZPDJP7xoaoO7LXnNvIVqIG4>
Subject: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Aug 2016 04:54:59 -0000

The current draft says "It is RECOMMENDED that implementations
implement 'deterministic ECDSA' as specified in [RFC6979]." The
current draft also says, regarding RSA-PSS signatures: "When used in
signed TLS handshake messages, the length of the salt MUST be equal to
the length of the digest output."

I think it would be ideal if we could find a way to specify the
RSA-PSS salt requirement in a way that meets the requirements for
provable security that motivated the switch to RSA-PSS and also
recommends a deterministic method of salt generation analogous to what
RFC6979 does for ECDSA. However, I don't know of any such method.
Perhaps other people do; if so, the spec to include a recommendation
to use such a method be used.

Also, I think it would be great if people working on proofs of
security for TLS could take into consideration the fact that
some--perhaps many--implementations will intentionally or accidentally
use some form of deterministic or less-than-random salt generation for
RSA-PSS. For example, it would be great to see a "What if the salt(s)
in the RSA PSS signature(s) were generated deterministically?" section
of papers describing such proofs.

Cheers,
Brian
-- 
https://briansmith.org/