Re: [TLS] Using RSA PSS in TLS

Johannes Merkle <johannes.merkle@secunet.com> Mon, 14 October 2013 09:25 UTC

Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACE2521E8165 for <tls@ietfa.amsl.com>; Mon, 14 Oct 2013 02:25:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.449
X-Spam-Level:
X-Spam-Status: No, score=-3.449 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZqT+bbq6mVqW for <tls@ietfa.amsl.com>; Mon, 14 Oct 2013 02:25:38 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) by ietfa.amsl.com (Postfix) with ESMTP id 13D8121E816F for <tls@ietf.org>; Mon, 14 Oct 2013 02:23:43 -0700 (PDT)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id BEE231A0079; Mon, 14 Oct 2013 11:23:27 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id wWHIwyqD9wKj; Mon, 14 Oct 2013 11:23:26 +0200 (CEST)
Received: from mail-srv1.secumail.de (unknown [10.53.40.200]) by a.mx.secunet.com (Postfix) with ESMTP id 7C8D51A0071; Mon, 14 Oct 2013 11:23:26 +0200 (CEST)
Received: from [172.16.40.201] ([172.16.40.201]) by mail-srv1.secumail.de with Microsoft SMTPSVC(6.0.3790.4675); Mon, 14 Oct 2013 11:23:26 +0200
Message-ID: <525BB80D.6010800@secunet.com>
Date: Mon, 14 Oct 2013 11:23:25 +0200
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Hanno Böck <hanno@hboeck.de>
References: <525BADBD.8020007@secunet.com> <20131014104912.7b19bd93@pc>
In-Reply-To: <20131014104912.7b19bd93@pc>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 14 Oct 2013 09:23:26.0755 (UTC) FILETIME=[09B5EF30:01CEC8BF]
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Using RSA PSS in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Oct 2013 09:25:48 -0000

> Why would you want to allow RSA in non-PSS-mode at all? And why on earth would you want to make the less secure
> PKCS#1v1.5 the default? There's simply zero advantage of PKCS#1v1.5 over PSS, except for legacy compatibility.

legacy compatibility is exactly the point. Implementations must be prepared to communicate to servers / clients that
do not support the new version. (Unfortunately, experience shows that it's not only legacy implementations that do not
implement the latest algorithms; there may be even current ones.) And the absence of an extension is the only way to
detect lack of support for it, thus, the default MUST be the old RSA version.

Otherwise, I agree with your statement that PSS is superior to PKCS#1v1.5 in terms of security. Albeit the security
issues with PKCS#1v1.5 signatures are not that bad as in case of encryption.

> 
> I'd say: Preferrably with the next TLS version RSA should simply be switched to PSS.
> 

Although I would welcome a TLS 1.3 deprecating PKCS#1v1.5 in favor of RSA-PSS, I didn't mean to wait for TLS 1.3.
Given the slow pace of deployment of new TLS versions that may simply take too long.
-- 
Johannes