Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

Peter Gutmann <> Tue, 09 August 2016 08:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9E8A512D54F for <>; Tue, 9 Aug 2016 01:55:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.447
X-Spam-Status: No, score=-5.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.247] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id APhWSf3g41YN for <>; Tue, 9 Aug 2016 01:55:39 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E6FB012D53D for <>; Tue, 9 Aug 2016 01:55:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1470732939; x=1502268939; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=EnpaDKHurbWh3ZRawCaLlRqOgsP8IkBuWYjWaJMt0rA=; b=SS8dg+WGXJk13Ccg2PiYUyzgHe9p2aQosl/Gdf/rqlwVwOcdNM+dzRoV e0m9eZXyF3uFoBCc3r1Yr6xOy0jP1FXgx2w8HWuLDboiguU4ht2cqh4U6 YIkWUUCXYSXR0Pj61nhPS0F/WhAuiv/1EnrRaCoyWMuupcXjrfR6J8FIG OAfiZLzp/FX5TbvsNAN1jsL0NICTtpUvktcu06XOohtSmJVEtil7LbAPF zF6IP8OhuBH7AFRdilMvFwrz5ckC/7N/NEI+1BCe88wCCYXJbsZ6NCVyA avj6LTRC5RUcCxxDJySq0QGVETmfm4f3TocKdiqmLCJ89tsk3GkNXSKRk g==;
X-IronPort-AV: E=Sophos;i="5.28,494,1464609600"; d="scan'208";a="101629948"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 09 Aug 2016 20:55:31 +1200
Received: from ([]) by ([]) with mapi id 14.03.0266.001; Tue, 9 Aug 2016 20:55:31 +1200
From: Peter Gutmann <>
To: Tony Arcieri <>, "" <>
Thread-Topic: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA
Thread-Index: AQHR8Gfj7F33ORxaEkOd+LaMKFmFkqA8R+IAgAH2WQCAAHybgIABm9Tz
Date: Tue, 9 Aug 2016 08:55:30 +0000
Message-ID: <>
References: <20160806235716.726a0e4e@pc1> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 09 Aug 2016 08:55:42 -0000

Tony Arcieri <> writes:

>Do you think we'll see real-world MitM attacks against RSA-PSS in TLS similar
>to those we've seen with PKCS#1v1.5 signature forgery, such as BERserk?

Not BERserk specifically because that was an attack on the ASN.1, not the
signature format.  OTOH PSS doesn't encode the hash algorithm as 1.5 does, so
here's a much simpler attack: Take a breakable hash function with an output
the same size as the one used in the sig, generate your collision, and paste
the sig onto colliding data, indicating the use of the breakable function not
the one used to generate the original sig.  Done.  Couldn't happen with 1.5
because that encodes the details of the hash function used as part of the