Re: [TLS] PSS and TLS 1.3
Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 23 January 2017 10:52 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 582DE129B11 for <tls@ietfa.amsl.com>; Mon, 23 Jan 2017 02:52:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.099
X-Spam-Level:
X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.199] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AiVP65KhnRIm for <tls@ietfa.amsl.com>; Mon, 23 Jan 2017 02:52:46 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id 4CBF312956B for <tls@ietf.org>; Mon, 23 Jan 2017 02:52:45 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 33EAA1EB89; Mon, 23 Jan 2017 12:52:44 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id gFm-9UAFQQzX; Mon, 23 Jan 2017 12:52:44 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id E94ED21C; Mon, 23 Jan 2017 12:52:43 +0200 (EET)
Date: Mon, 23 Jan 2017 12:52:41 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Message-ID: <20170123105241.GB28101@LK-Perkele-V2.elisa-laajakaista.fi>
References: <e993599c-f69d-2db3-f3f3-f40caf810bd6@drh-consultancy.co.uk> <1485158728.3068.5.camel@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1485158728.3068.5.camel@redhat.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jqrodYJpPFuYTbtdAx6N7JVD9NY>
Cc: "tls@ietf.org list" <tls@ietf.org>
Subject: Re: [TLS] PSS and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jan 2017 10:52:48 -0000
On Mon, Jan 23, 2017 at 09:05:28AM +0100, Nikos Mavrogiannopoulos wrote: > On Fri, 2017-01-20 at 17:43 +0000, Dr Stephen Henson wrote: > > > Additionally PSS signatures (see RFC4055) can be used with RSA keys > > (rsaEncryption OID) and RSA-PSS only keys (id-RSASSA-PSS OID). Does > > the RSASSA-PSS mean that both types must be accepted? > > That's a quite interesting finding. Although that protocol behavior > seems to ease transition to RSASSA-PSS, it also paves the field for new > cross protocol attacks. A server which can sign with either of RSASSA- > PSS and RSA-PKCS1 and the same key is certainly less secure than a > server which can sign with either of them. The only way to enforce that > a key is restricted is by requiring the id-RSASSA-PSS OID for RSASSA- > PSS. Unfortunately, dedicated RSA-PSS keys are pretty much undeployable, and requirement to use those would be de facto the same as removing RSA server signatures entierely from TLS 1.3[1]. I don't know any CA that would certify RSA-PSS keys. And adding new key types is a slow process. Heck, Certifying ECDSA keys are poorly supported among CAs[2]. And looking at RSA-PKCS1 and RSA-PSS, it doesn't seem likely that there exists a EM that is both valid in RSA-PKCS1 and RSA-PSS for any messages, unless keysizes are too small, hashes are too large or salts are too large. E.g. with 2048-bit keys, and SHA-512 with 512-bit salts, there are 126 octets to match, but only 64 octets to control, making it very unlikely that suitable control value can be found. With longer keys, each octet in key adds an octet to match but leaves octets to control unchanged. [1] Not that this wouldn't have security benefits, thanks to insecure stuff SSL and earlier TLS versions pull off... [2] Some commercial CAs (don't have list) and Let's Encrypt (signed with RSA[3] and even then most ACME software can't handle those).. [3] TLS 1.2 and 1.3 allows mixing and matching RSA and ECDSA in chain. -Ilari
- [TLS] PSS and TLS 1.3 Dr Stephen Henson
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS and TLS 1.3 Brian Smith
- Re: [TLS] PSS and TLS 1.3 Adam Langley
- Re: [TLS] PSS and TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS and TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS and TLS 1.3 Martin Thomson
- Re: [TLS] PSS and TLS 1.3 Peter Gutmann
- Re: [TLS] PSS and TLS 1.3 Yoav Nir
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS and TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara