Re: [TLS] Using RSA PSS in TLS

Johannes Merkle <johannes.merkle@secunet.com> Fri, 16 January 2015 11:09 UTC

Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0DD71ACD70 for <tls@ietfa.amsl.com>; Fri, 16 Jan 2015 03:09:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.21
X-Spam-Level:
X-Spam-Status: No, score=-1.21 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nUe-hWPgTZLS for <tls@ietfa.amsl.com>; Fri, 16 Jan 2015 03:09:09 -0800 (PST)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A15BA1ACD6F for <tls@ietf.org>; Fri, 16 Jan 2015 03:09:09 -0800 (PST)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 8A5551A009D for <tls@ietf.org>; Fri, 16 Jan 2015 12:08:58 +0100 (CET)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id BbGQ5j9mqLcI for <tls@ietf.org>; Fri, 16 Jan 2015 12:08:56 +0100 (CET)
Received: from mail-essen-01.secunet.de (unknown [10.53.40.204]) by a.mx.secunet.com (Postfix) with ESMTP id C09F91A0096 for <tls@ietf.org>; Fri, 16 Jan 2015 12:08:56 +0100 (CET)
Received: from [10.208.1.76] (10.208.1.76) by mail-essen-01.secunet.de (10.53.40.204) with Microsoft SMTP Server (TLS) id 14.3.224.2; Fri, 16 Jan 2015 12:09:05 +0100
Message-ID: <54B8F151.5040604@secunet.com>
Date: Fri, 16 Jan 2015 12:09:05 +0100
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: tls@ietf.org
References: <525BADBD.8020007@secunet.com> <54B67A19.9010507@redhat.com> <CAK9dnSzJ3SzO0aBAU5RvywjU-HQ1o12De8+PYUuyy1sUdR7+CA@mail.gmail.com> <20150115013149.0185bea4@pc> <CACsn0ckFmOKsMgEtyoCB20EL+Wmff0n11oV-Nz2HYcXYPbcJvA@mail.gmail.com>
In-Reply-To: <CACsn0ckFmOKsMgEtyoCB20EL+Wmff0n11oV-Nz2HYcXYPbcJvA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.208.1.76]
X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_IDH1ezuxMB-FSpDO407iiiUO9s>
Subject: Re: [TLS] Using RSA PSS in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jan 2015 11:09:17 -0000

> You *cannot* do PKCS 1.5 encryption right. The countermeasures to
> Bleichenbacher depend on enforcing additional structure on the
> messages, which SSL imposed by accident. As everyone should know, many
> implementations still do not get this right. (Can't name which ones,
> but even if they make the check, they may expose timing channels that
> are exploitable: there was a German PhD thesis a year or two ago that
> investigated exactly this, and broke some Java implementations).

Jager, Schinzel and Somorovsky also showed how XML encryption is vulnerably and there was also this report about
practical attacks against hardware implementations:
https://eprint.iacr.org/2012/417


-- 
Johannes