IETF Logo Mail Archive

Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"

Hubert Kario <hkario@redhat.com> Tue, 12 September 2017 18:06 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C10A5132EBB for <tls@ietfa.amsl.com>; Tue, 12 Sep 2017 11:06:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.921
X-Spam-Level:
X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nnk-wNl0rH0i for <tls@ietfa.amsl.com>; Tue, 12 Sep 2017 11:06:57 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2430132D6D for <tls@ietf.org>; Tue, 12 Sep 2017 11:06:57 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 40D3A2F14A5; Tue, 12 Sep 2017 18:06:57 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 40D3A2F14A5
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=hkario@redhat.com
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.223]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0AC9D5D6A9; Tue, 12 Sep 2017 18:06:57 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: "tls@ietf.org" <tls@ietf.org>
Date: Tue, 12 Sep 2017 20:06:55 +0200
Message-ID: <10457521.MfgfQs1Zne@pintsize.usersys.redhat.com>
In-Reply-To: <21C4A934-8B10-40A8-950F-0E7B61F08613@ll.mit.edu>
References: <20170908225948.GC31695@al> <5159391.MM5YjT3ssF@pintsize.usersys.redhat.com> <21C4A934-8B10-40A8-950F-0E7B61F08613@ll.mit.edu>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart13688465.g3UpIy5l7T"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Tue, 12 Sep 2017 18:06:57 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YVDYQp-MBn28ooxlTNKP1IUEO_A>
Subject: Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2017 18:06:59 -0000

On Tuesday, 12 September 2017 19:36:04 CEST Blumenthal, Uri - 0553 - MITLL 
wrote:
> >  > . . .
> >   > 
> >     > This could get pretty messy: it requires a logic not used in any
> >     > other
> >     > algorithm. I'd be more than happy to have an outright prohibition on
> >     > EE PSS
> >     > key parameter restrictions in TLS 1.3 so implementers don't have to
> >     > bother
> >     > with this.
> > what about hardware tokens that support only specific hashes or
> > signatures? (I've seen ones that can do only RSA with SHA256 and SHA-1,
> > but
> > not SHA-384 or SHA-512) Isn't it basically the same code path (though the
> > limitation does come from slightly different place).
> 
> I think that the requirement of having the same hash everywhere in this
> certificate takes care of this problem.
> 
> If I’m missing the actual problem you’re pointing at – please outline the
> use case where it might manifest, and let’s take it from there.

What Stephen is pointing at, is a server certificate (End Entity certificate) 
when using RSA-PSS public key id in the X.509 certificate can have RSA-PSS 
parameters in the public key id or can have them omitted. When the parameters 
are omitted, it means that that key can be used for signing with any hash 
(SHA-1, SHA-256, SHA-384, SHA3-256, etc.) but must be used with rsa-pss 
padding scheme. When the parameters are present the hash is set in stone and 
that key can then be used to sign with one hash and one hash only - the hash 
that is specified in certificate (and rsa-pss padding).

Now, if the certificate specifies in parameters SHA384 hash and client 
advertises support only for SHA256 with RSA-PSS, the server should switch to 
(e.g.) ECDSA certificate that does not have that limitation and continue 
connection instead of aborting the connection (very bad) or sending 
certificate which most likely will be rejected by client as not 
understandable/unverifiable (bad).

What I've added is that that limitation may not come from the certificate but 
may come from the cryptographic module (software or hardware) that implements 
rsa-pss with just one or two hashes, irrespective of rsa-pss parameters in the 
certificate public key id.

So, I'm not sure what hash you are suggesting should be "the same everywhere".
I'm quite sure you're not suggesting that we should limit TLS 1.3 to SHA256 
only (no SHA384 or SHA512), are you?
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

v2.23.0 | Report a Bug | By Email