Re: [TLS] PSS and TLS 1.3
Brian Smith <brian@briansmith.org> Fri, 20 January 2017 19:29 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 340691294DC for <tls@ietfa.amsl.com>; Fri, 20 Jan 2017 11:29:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7lBgjqbwecgL for <tls@ietfa.amsl.com>; Fri, 20 Jan 2017 11:29:05 -0800 (PST)
Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 859AE1294D6 for <tls@ietf.org>; Fri, 20 Jan 2017 11:29:05 -0800 (PST)
Received: by mail-io0-x22d.google.com with SMTP id j13so68907930iod.3 for <tls@ietf.org>; Fri, 20 Jan 2017 11:29:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=C448mUmi5Sxr2kntvn5DdRNy2OgwRIxsGtg6wSPGyYs=; b=Rui7oh3uP9k0ZV9PnVHd7TYO7Reno7L2MZtcgBOYe05EVjjN8s82dxVIu8FfvDcXJD YINSORR5tANjiEap7y1W/2LzvBp4mD0ruF0ITTAyId6K9s/aOqeLjd6m/1gDUhAmMrDH AsK24z8FaySDOkhdYiKRyLbhQnc3vNsCKmPku4aRiyDjzJhcyiZIWpSUmhm/MgmRKCxf 0ZdgUi1esv6eDNJZfjew1OHlYI2/ZVXFt9J7EJySX6uYvX4q35gnzJhijZpZ0PQOFgUz w1TkZEedU8RJx1SJ7ITYZtmjW4KR2ekh9GSCbQ3cQaLz065sZF1wnGDRQtoaP/ewGHI/ saMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=C448mUmi5Sxr2kntvn5DdRNy2OgwRIxsGtg6wSPGyYs=; b=kXJnx8ubH++/QsAyVzUFCS/kvNAFOw2QK/kbUOLlUf3P2hFiLfggRYTcboknTUM5Mu SemZPducpl9cAmPZcFsmoMl6JkqxwLLrvqPCyOsXhRY2yzxHnkg/4OP0EksWK9lBOWhw VapOg94nkEM1ZgEz8gxYf9PeU0sk1t6emhe2BuVax15EtFFRWneDDtfDeUKgKnsIwRbL p4iNi0IfLPF/EF95bvrhWJRPZQ1tkiKkKRMJe2iOJgXxzbOEE65BHxj8Vd3wfzI+ug4k xhxVFntntWSz0ujfdNc1BA0lVrSjFl3dJtgI1i7hQgBXI8rnjbeR5GH5qUIWYMOImy+T q/ZQ==
X-Gm-Message-State: AIkVDXI8w4FK+Yelhy+jCuxID8YC5Dym8dV1FFvOXbLMY9E5ZN55UiXn0BBq9agFqo6L72FPrWCB8gxm1YbTug==
X-Received: by 10.107.162.194 with SMTP id l185mr16271359ioe.184.1484940544786; Fri, 20 Jan 2017 11:29:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.36.65.206 with HTTP; Fri, 20 Jan 2017 11:29:04 -0800 (PST)
In-Reply-To: <20170120181455.GA30791@LK-Perkele-V2.elisa-laajakaista.fi>
References: <e993599c-f69d-2db3-f3f3-f40caf810bd6@drh-consultancy.co.uk> <20170120181455.GA30791@LK-Perkele-V2.elisa-laajakaista.fi>
From: Brian Smith <brian@briansmith.org>
Date: Fri, 20 Jan 2017 09:29:04 -1000
Message-ID: <CAFewVt6aDpmzZYrdPikmhQ8hpz14pxu68oiqO7CZcqEVjcMRUg@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "tls@ietf.org list" <tls@ietf.org>
Subject: Re: [TLS] PSS and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2017 19:29:07 -0000
Ilari Liusvaara <ilariliusvaara@welho.com> wrote: >> The text above indicates the salt length for TLS messages. There are no >> restrictions placed on certificate signature salt lengths. Does this mean that >> any valid salt length (from 0 to the maximum permitted) must be supported? > > Well, the code I have written enforces the salt length restriction also on > any possible RSA-PSS certificates in chain. RSA PSS with a zero-length salt is a deterministic, subliminal-channel-free signature scheme. It is one of the few signature schemes that structurally prevent an HSM from directly leaking (parts of) the private key in an undetectable way. The PKCS#11 interface for RSA-PSS in particular only allows one to choose the length of the salt, not the value of the salt, thus using a zero-length salt is the only way to ensure that a HSM doesn't leak the private key. Accordingly, I think it's a bad idea for clients to enforce the salt length requirement, and for the TLS 1.3 draft to specify a requirement for a salt (that isn't empty). Although I originally suggested the salt length requirement that was added to the TLS 1.3 draft, I now am pretty sure it was a mistake. I'm pretty sure that PSS signatures can be *proven* to be safe with just 1 bit of salt in TLS, because the message that is being signed contains at least 1 random bit (from each party). Note also that it has already been proven many years ago that the salt length requirement that the TLS 1.3 draft currently imposes is too large. Similarly, in the case of the Web PKI, most CAs include at least one random bit in each certificate they sign, so it should be possible to construct the same proof for such certificates. > This comes from not even having RSA-PSS validation code that could deal > with arbitrary salt length. This is currently the case in my own software (*ring* and webpki) too, but I plan to make changes to both of them so that 0-length and maybe 1-bit salts are also acceptable, once the proof of security of shorter salt lengths is done. Note also that most deployed RSA-PSS certificates (that I've seen) are generated from Microsoft's software, which was (is?) hard-coded to use SHA-1 as the MGF digest function. Some newer software doesn't accept SHA-1 as the MGF digest function and so there's a trap there, regardless of the salt length issue. >> Additionally PSS signatures (see RFC4055) can be used with RSA keys >> (rsaEncryption OID) and RSA-PSS only keys (id-RSASSA-PSS OID). Does the >> RSASSA-PSS mean that both types must be accepted? It is better to implement id-RSASSA-PSS. (It is also good to enforce that certificates with a keyUsage extension that doesn't indicate encryption aren't used for RSA encryption, which is a related problem.) Cheers, Brian -- https://briansmith.org/
- [TLS] PSS and TLS 1.3 Dr Stephen Henson
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS and TLS 1.3 Brian Smith
- Re: [TLS] PSS and TLS 1.3 Adam Langley
- Re: [TLS] PSS and TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS and TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS and TLS 1.3 Martin Thomson
- Re: [TLS] PSS and TLS 1.3 Peter Gutmann
- Re: [TLS] PSS and TLS 1.3 Yoav Nir
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS and TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara