Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
Hubert Kario <hkario@redhat.com> Tue, 12 September 2017 18:06 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C10A5132EBB for <tls@ietfa.amsl.com>; Tue, 12 Sep 2017 11:06:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.921
X-Spam-Level:
X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nnk-wNl0rH0i for <tls@ietfa.amsl.com>; Tue, 12 Sep 2017 11:06:57 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2430132D6D for <tls@ietf.org>; Tue, 12 Sep 2017 11:06:57 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 40D3A2F14A5; Tue, 12 Sep 2017 18:06:57 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 40D3A2F14A5
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=hkario@redhat.com
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.223]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0AC9D5D6A9; Tue, 12 Sep 2017 18:06:57 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: "tls@ietf.org" <tls@ietf.org>
Date: Tue, 12 Sep 2017 20:06:55 +0200
Message-ID: <10457521.MfgfQs1Zne@pintsize.usersys.redhat.com>
In-Reply-To: <21C4A934-8B10-40A8-950F-0E7B61F08613@ll.mit.edu>
References: <20170908225948.GC31695@al> <5159391.MM5YjT3ssF@pintsize.usersys.redhat.com> <21C4A934-8B10-40A8-950F-0E7B61F08613@ll.mit.edu>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart13688465.g3UpIy5l7T"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Tue, 12 Sep 2017 18:06:57 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YVDYQp-MBn28ooxlTNKP1IUEO_A>
Subject: Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2017 18:06:59 -0000
On Tuesday, 12 September 2017 19:36:04 CEST Blumenthal, Uri - 0553 - MITLL wrote: > > > . . . > > > > > > This could get pretty messy: it requires a logic not used in any > > > other > > > algorithm. I'd be more than happy to have an outright prohibition on > > > EE PSS > > > key parameter restrictions in TLS 1.3 so implementers don't have to > > > bother > > > with this. > > what about hardware tokens that support only specific hashes or > > signatures? (I've seen ones that can do only RSA with SHA256 and SHA-1, > > but > > not SHA-384 or SHA-512) Isn't it basically the same code path (though the > > limitation does come from slightly different place). > > I think that the requirement of having the same hash everywhere in this > certificate takes care of this problem. > > If I’m missing the actual problem you’re pointing at – please outline the > use case where it might manifest, and let’s take it from there. What Stephen is pointing at, is a server certificate (End Entity certificate) when using RSA-PSS public key id in the X.509 certificate can have RSA-PSS parameters in the public key id or can have them omitted. When the parameters are omitted, it means that that key can be used for signing with any hash (SHA-1, SHA-256, SHA-384, SHA3-256, etc.) but must be used with rsa-pss padding scheme. When the parameters are present the hash is set in stone and that key can then be used to sign with one hash and one hash only - the hash that is specified in certificate (and rsa-pss padding). Now, if the certificate specifies in parameters SHA384 hash and client advertises support only for SHA256 with RSA-PSS, the server should switch to (e.g.) ECDSA certificate that does not have that limitation and continue connection instead of aborting the connection (very bad) or sending certificate which most likely will be rejected by client as not understandable/unverifiable (bad). What I've added is that that limitation may not come from the certificate but may come from the cryptographic module (software or hardware) that implements rsa-pss with just one or two hashes, irrespective of rsa-pss parameters in the certificate public key id. So, I'm not sure what hash you are suggesting should be "the same everywhere". I'm quite sure you're not suggesting that we should limit TLS 1.3 to SHA256 only (no SHA384 or SHA512), are you? -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
- [TLS] RSASSA-PSS in certificates and "signature_a… Peter Wu
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Ilari Liusvaara
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Dr Stephen Henson
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Eric Rescorla
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Nick Sullivan
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Nikos Mavrogiannopoulos
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Ilari Liusvaara
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Martin Rex
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Ilari Liusvaara
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Martin Rex
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Dr Stephen Henson
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Nikos Mavrogiannopoulos
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Dr Stephen Henson
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Eric Rescorla
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario