Re: [TLS] Certificate keyUsage enforcement question (new in RFC8446 Appendix E.8)

Geoffrey Keating <> Wed, 07 November 2018 23:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 19D19129C6A for <>; Wed, 7 Nov 2018 15:07:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dcnWrm3AhWk5 for <>; Wed, 7 Nov 2018 15:07:53 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E55CE1294D7 for <>; Wed, 7 Nov 2018 15:07:53 -0800 (PST)
Received: by (Postfix, from userid 501) id 5FC9933D2A6; Wed, 7 Nov 2018 23:07:53 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: "<>" <>
References: <> <m236seg80v.fsf@localhost.localdomain> <>
From: Geoffrey Keating <>
Date: Wed, 07 Nov 2018 15:07:53 -0800
In-Reply-To: <>
Message-ID: <m2y3a4ebau.fsf@localhost.localdomain>
Lines: 66
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Archived-At: <>
Subject: Re: [TLS] Certificate keyUsage enforcement question (new in RFC8446 Appendix E.8)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Nov 2018 23:07:56 -0000

Viktor Dukhovni <> writes:

> [ Quoted text slightly reordered to put the RSA issue first, as that's
>   the main thing I'm trying to get clarity on, and enabling keyUsage
>   enforcement is causing some interoperability issues now... ]
> > On Nov 5, 2018, at 11:11 PM, Geoffrey Keating <> wrote:
> > 
> >> TL;DR:  Should TLS client abort DHE-RSA handshakes with a peer
> >> certificate that *only* lists:
> >> 
> >>            X509v3 Key Usage: 
> >>                Key Encipherment, Data Encipherment
> > 
> > Yes, because in DHE-RSA, the RSA key is used for signing, and this is
> > an encryption-only key.
> > 
> > As far as I know there's no similar attack on RSA, but I think this is
> > not a well-examined area.
> Since the vast majority of certificates in the wild are RSA, and
> interoperability is a concern, I'd really like to better understand
> what risk if any posed if one allows a an *RSA* key with a keyUsage
> of "keyEncipherment" (seen on some live servers that then do DHE-RSA)
> to be used for "DigitalSignature"?  I am only aware of risks in the
> converse direction.  How unreasonable would it be to be more forgiving
> and allow *RSA* "DigitalSignature" when the keyUsage indicates otherwise?

Maybe I should expand on my previous answer.

There is, obviously, an attack with RSA under some circumstances.  If
you have an oracle where the attacker can see the results of any RSA
decryption, then this leads directly to the ability to forge a

In more practical situations, the attacker doesn't get to see the
results.  Instead, for example in properly-implemented TLS, the
attacker only learns whether the decryption was successful, relative
to a key chosen by the attacker, and a 'successful' decryption
includes a padding check of the output which is highly unlikely to
succeed for a fixed input.  So there doesn't seem to be a direct
attack in this situation.

However, how do you know this is the situation?

There is the obvious question about improper implementations.  How do
you know that this key wasn't configured this way because there's a
known security issue which might leak a key used for encryption, and
the key is intended only to be presented to hosts which will not
accept DHE?

This is particularly relevant because we do know of some attacks on
PKCS#1v1.5 encryption, which make the 'proper implementation' quite
complicated, and you can see the result in RFC 3218.  However these
attacks were concerned primarily with recovering the symmetric key,
and not forging a signature using the RSA key.  I don't think anyone
has deeply investigated the signature-forging issue in this context,
since typically if you can recover the symmetric key, that's bad
enough (you can just force the connection to use an encryption-based

In general, though, what you're asking is "The CA signing this key has
instructed that I do not accept signatures made with it.  Is it OK to
accept signatures made with it?" It's really hard to see how the
answer to that could generally be 'yes'.