Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

Tony Arcieri <bascule@gmail.com> Tue, 09 August 2016 21:13 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0295012D185 for <tls@ietfa.amsl.com>; Tue, 9 Aug 2016 14:13:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f45KipqJlyso for <tls@ietfa.amsl.com>; Tue, 9 Aug 2016 14:13:47 -0700 (PDT)
Received: from mail-ua0-x233.google.com (mail-ua0-x233.google.com [IPv6:2607:f8b0:400c:c08::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32E8212D15A for <tls@ietf.org>; Tue, 9 Aug 2016 14:13:47 -0700 (PDT)
Received: by mail-ua0-x233.google.com with SMTP id 74so40307350uau.0 for <tls@ietf.org>; Tue, 09 Aug 2016 14:13:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=T+JWjMW21NElWxm1lK11vZ3m7NtVmVlvIX7oC7fm7jg=; b=PBJRJvNdTeolfh4+DqnPZv9Kbn8OjspxrmjhNUlNfqwi90cc8HeVYq1XRsfRbyxEzD AQ0zTiTgZpB5oEIn9vIJIJ+mgaqmj7ZZBTljG8rez3sOrbayEBJJNgUueBgDzDwBIKKW k9OuNOYsL+BZCJiv1TsoMLue2fBIT13qiZ5CQ8iVwKVQ4g/jukXJfj4y6549yMCKtalU pGul78FcWFxJdGKZNzefGEYExRt7amqXCl1yCziW7yfcaIkuCwEYm2Cw5s9jcmHNWpg4 MTCuBrwm4ydWDzG5dsadjUIzIgOHZyo3rlcPyEIJ8bRZtHizPewx62xcQ4PHctFeJsqk hBwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=T+JWjMW21NElWxm1lK11vZ3m7NtVmVlvIX7oC7fm7jg=; b=kQUabjdjrcg6O3mqm0PZMEB6pDtdCWkihZY2cugLeXj2KgVxP2yoH68093FaCUE9/v eQSRR/ahdhlL6BtTXszlN2w73R1SSoCu3ELR4mcb9qQEZIOOvaXYsb5QrWjJdeuJvJmY c9LKZlJi+lhxgQx4GYH+HvgUAxiCvP9FPYghFdzTf3FWIGP+FgZyLWeK+QJL29Rhuqfk VhIXnTmhex7XjYTJA9Netdg7jivKHJPasCn921dVR4cBEmYRxlMojEvYFbxSBcD56oNN 6S0au70noAObeSgy7XhR+WMyMgDQLqY+06E+3JpXxFexwUMNHOabTYKvOorhB4n4CciJ Fm9w==
X-Gm-Message-State: AEkoousyBTF7XLPqWxsQdNZkIABcsZcBd3R+qmAVs7MS0LyEJ/HJ9dNPt7Rsf+aOdtDvpj4GjKcFXxgpSt34yA==
X-Received: by 10.176.7.34 with SMTP id h31mr240004uah.127.1470777226304; Tue, 09 Aug 2016 14:13:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.82.27 with HTTP; Tue, 9 Aug 2016 14:13:25 -0700 (PDT)
In-Reply-To: <20160809141615.5E17B1A520@ld9781.wdf.sap.corp>
References: <CAHOTMVJXTbbQKc4f7oc8nabrUqbY9QjEumvyUJn16uD4UdeLuw@mail.gmail.com> <20160809141615.5E17B1A520@ld9781.wdf.sap.corp>
From: Tony Arcieri <bascule@gmail.com>
Date: Tue, 9 Aug 2016 14:13:25 -0700
Message-ID: <CAHOTMV+e6Ka5yePxqj+onXM-bwq5n4pRw5F7g248e=Ydkzqnyw@mail.gmail.com>
To: Martin Rex <mrex@sap.com>
Content-Type: multipart/alternative; boundary=94eb2c1244d21e25c00539aa0260
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/c46-adqVJO40fd-e8NQvvYJ241A>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2016 21:13:49 -0000

On Tue, Aug 9, 2016 at 7:16 AM, Martin Rex <mrex@sap.com>; wrote:

> BERserk is an implementation defect, not a crypto weakness.
>

Hence why I phrased the question the way I did. Per Izu, Shimoyama, and
Takenaka 2006, PKCS#1 v1.5 has sharp edges which implementers must avoid
(of course, the same can be said of BER in BERserk, and it was clearly the
bigger of the two problems).

Peter Gutmann's response was the sort of thing I was looking for when I
originally asked the question.

-- 
Tony Arcieri