IETF Logo Mail Archive

Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"

Hubert Kario <hkario@redhat.com> Wed, 13 September 2017 15:57 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A715513304F for <tls@ietfa.amsl.com>; Wed, 13 Sep 2017 08:57:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.92
X-Spam-Level:
X-Spam-Status: No, score=-6.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eyn7jxLp1wZP for <tls@ietfa.amsl.com>; Wed, 13 Sep 2017 08:57:20 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C0F0132A89 for <tls@ietf.org>; Wed, 13 Sep 2017 08:57:20 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E3B8068807; Wed, 13 Sep 2017 15:57:19 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com E3B8068807
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=hkario@redhat.com
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.223]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 859D377BF7; Wed, 13 Sep 2017 15:57:19 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: "tls@ietf.org" <tls@ietf.org>, "Andrei.Popov@microsoft.com" <andrei.popov@microsoft.com>
Date: Wed, 13 Sep 2017 17:57:17 +0200
Message-ID: <2444518.Frf4kAzPhz@pintsize.usersys.redhat.com>
In-Reply-To: <FD577598-B505-4266-9B83-ED51BA4F59B7@ll.mit.edu>
References: <20170908225948.GC31695@al> <11673774.J8OL2FLGDl@pintsize.usersys.redhat.com> <FD577598-B505-4266-9B83-ED51BA4F59B7@ll.mit.edu>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2167594.lUJ2564bjr"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Wed, 13 Sep 2017 15:57:20 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hjhkUr5PoRa9fXqvFpToRHMsyZU>
Subject: Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2017 15:57:23 -0000

On Wednesday, 13 September 2017 16:35:25 CEST Blumenthal, Uri - 0553 - MITLL 
wrote:
> >     > enforcing the default. The default being:
> >     > - Hash algorithm the same as specified in Signature Algorithm
> >     > - MGF1 hash is the same as above
> >     > - Salt length same as digest length above
> >     
> >     No problem with that being recommendation, but I've seen people
> >     claiming
> > 
> > that some applications don't follow that salt length requirement, so I'd
> > say it would cause unnecessary problems if it was set too strict
> 
> I’m sure some apps follow, and some don’t. I’m simply saying that it makes
> sense for TLS to pick a sensible default (like the above) and stick with
> it. Other apps may do what they think is best.

hmm, thing is, that while certificates with subjectPublicKeyInfo of rsa-pss 
are still pink unicorns in production deployments, certificates with 
signatureAlgorithm of rsa-pss are fairly common in Microsoft shops - it is the 
default signature method for MS AD for good few years now.

I do not know what hashes, how consistent with MGF1 and what salts sizes do MS 
CAs select for those signatures.

I'm quite sure that people will want to use those existing CA certificates and 
intermediate CA certificates on new servers that will be deploying TLS 1.3...

> As for above, in view of the following discussion I think it would be better
> to replace “Signature Algorithm” above with
> “subjectPublicKeyInfo.algorithm.parameters.hashAlgorithm”. I still think
> that only the necessary minimum of parameters should be passed explicitly.

And I would agree, if we didn't have PKCS#11 tokens. If you work on pure-
software implementation it will be much easier to have EE that cannot have 
limitations specified in subjectPublicKeyInfo. But as soon as you have to work 
with any kind of hardware implementations of RSA, that assumption goes out the 
window. Because even if your HSM does do all combinations, different one may 
not.

> >     and there are clients that advertise only a subset of hashes:
> >     https://www.ssllabs.com/ssltest/viewClient.html?
> >     name=Safari&version=6&platform=iOS%206.0.1&key=33
> Seriously? iOS 6? Why not iOS 5 or 4? I think I still have an iOS 5 device
> somewhere. ;-)

my point is that if a client from a major technological company, largely 
focused on security, can make such decisions, I don't see why other developers 
couldn't follow the same logic that makes them do what Apple did.

> >     > The cryptographic module would perform RSA-PSS *signature* with
> >     > whatever
> >     > hashes it can. It won’t bother with *validation*, so this module’s
> >     > limitations shouldn’t matter.
> >     
> >     but it can't perform that signature using hash
> >     *that the client didn't advertise*
> 
> You’re probably right. But for my benefit, could you please outline the
> scenario how this would/could be used? To make sure I completely understand
> the use case?

The use case may be of a limited client that implements only one hash 
algorithm and because it's low power, doesn't have a software fallback - 
allowing SHA256 only, everywhere (both on TLS level and on certificate 
signature level).

That client can then, exactly as the standard prescribes, advertise support 
only for signature schemes that support sha256: 
 * rsa_pkcs1_sha256
 * rsa_pss_sha256
 * ecdsa_secp256r1_sha256

Server side can be limited by policy, to have just sha384 signing in rsa with 
big key sizes (e.g. because some part of the web site is considered 'Top 
secret' and need to use keys more resistant to quantum computers) but also 
have P-256 ECDSA certificate for the public part of the web site as a 
fallback.

That server policy can be encoded in the subjectPublicKeyInfo.

In such situation we want the server to sign Certificate Verify with the ECDSA 
key - ecdsa_secp256r1_sha256 - even if the client advertises preference for 
RSA and server wants to respect it.

Situation with two RSA keys with different limitations is not much different.
We still want to pick a certificate that can be used to make a signature that 
client claims it will be able to verify - rsa_pss_sha256.

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

v2.23.0 | Report a Bug | By Email