IETF Logo Mail Archive

Re: [TLS] PR to clarify RSASSA-PSS requirements

Nikos Mavrogiannopoulos <nmav@redhat.com> Wed, 22 November 2017 13:33 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 166EF129440 for <tls@ietfa.amsl.com>; Wed, 22 Nov 2017 05:33:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jQ4GQySgsqcf for <tls@ietfa.amsl.com>; Wed, 22 Nov 2017 05:33:32 -0800 (PST)
Received: from mail-wm0-f45.google.com (mail-wm0-f45.google.com [74.125.82.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8ED181200FC for <tls@ietf.org>; Wed, 22 Nov 2017 05:33:32 -0800 (PST)
Received: by mail-wm0-f45.google.com with SMTP id r68so10307511wmr.1 for <tls@ietf.org>; Wed, 22 Nov 2017 05:33:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=js+j9kk9Up8QgA3KORyXvig20TQ6D33KD1h0kKuBDRc=; b=tD7vaojLtA2vMHqeTirhsBdLL+Ftk3QpMfgKZ+Ojh+VWHEgCeHrNHs3IRMpzxEvA5T 207deijjjtoM3spT9vAxgDzptwyH/AHzTnkS+y9YcDm5VQkSN0Z6GWra8d9uxTmRgT8T mPqjI3UmCh3BtoR8f54dDn61ekTqer+bJzNHNaxDCYiceb6SMKZuyRWupPCKdIMcg77T Vuwh8yh0YPbMZ8qK5uL70RYwfID7YtaqNSa8UJbDapVQoYBVocFNvDtTNA280FHw4bX2 MDjpoVkeOWvCeh/yx9pAGoaRq615XsGe1EnVqAr90j5uBi1iCa2Zu+Uh0eY8LPNmGGuh lK4A==
X-Gm-Message-State: AJaThX6V7oD3J4kqjnjylkVU7dk1733bjyn4LB5xA1QH8A00dYvjBWN0 BoRxF0egSbFq5SDNmksM0YLSVgE67uw=
X-Google-Smtp-Source: AGs4zMajLftDTI3lah2VfxXXqSldXj/syePskbTgLrz51dTFldEw1edG2QQhT2xFoGVBiXOVQsAatw==
X-Received: by 10.28.139.144 with SMTP id n138mr4292641wmd.78.1511357610940; Wed, 22 Nov 2017 05:33:30 -0800 (PST)
Received: from dhcp-10-40-1-102.brq.redhat.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id m189sm2596546wmb.38.2017.11.22.05.33.30 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 22 Nov 2017 05:33:30 -0800 (PST)
Message-ID: <1511357609.22935.47.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Peter Wu <peter@lekensteyn.nl>
Cc: tls@ietf.org
Date: Wed, 22 Nov 2017 14:33:29 +0100
In-Reply-To: <20171122121558.GF18321@al>
References: <20171122035404.GC18321@al> <1511340124.22935.27.camel@redhat.com> <20171122121558.GF18321@al>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.24.6 (3.24.6-1.fc26)
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/oa6874-8cOdGrdfbjhzh1oQRc7Y>
Subject: Re: [TLS] PR to clarify RSASSA-PSS requirements
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Nov 2017 13:33:35 -0000

On Wed, 2017-11-22 at 12:15 +0000, Peter Wu wrote:
> Hi Nikos,
> 
> On Wed, Nov 22, 2017 at 09:42:04AM +0100, Nikos Mavrogiannopoulos
> wrote:
> > On Wed, 2017-11-22 at 03:54 +0000, Peter Wu wrote:
> > > Hi,
> > > 
> > > At the moment there is still ambiguity in the requirements for
> > > PSS
> > > with
> > > relation to certificates. Proposal to clarify this:
> > > https://github.com/tlswg/tls13-spec/pull/1098
> > > 
> > > 
> > > This PR intends to clarify the requirements for PSS support.
> > 
> > Hi,
> >  I commented on the PR, but to provide more context. I believe RSA-
> > PSS
> > keys without parameters MUST be supported under TLS1.3. The reason
> > is
> > that keys explicitly marked as RSA-PSS cannot be used for RSA
> > PKCS#1
> > 1.5 encryption, and thus they provide a way for the server to know
> > that
> > it must protect that key against (cross-protocol) attacks which
> > utilize
> > RSA ciphersuites under TLS1.2.
> > 
> > On why you don't want mixing keys for TLS1.3 and TLS1.2 RSA
> > ciphersuites, see all the bleichenbacher attack reiterations over
> > the
> > years.
> > 
> > So what about distinguishing the RSA-PSS keys with and without
> > parameters:
> > 
> > "an RSASSA-PSS public key (OID id-RSASSA-PSS) without parameters
> > MUST
> > be supported, while an RSASSA-PSS public key (OID id-RSASSA-PSS)
> > with
> > parameters MAY be supported`."
> 
> In my understanding, the parameters are REQUIRED (cannot be NULL),
> but
> an "empty" DER encoding means that the default parameters are used
> (SHA-1, MFG1 with SHA-1, salt length equal to SHA-1 output (20),
> default
> trailer) per https://tools.ietf.org/html/rfc8017#page-75

That's not what the DEFAULT keyword means in ASN.1. My understanding is
that the default value applies when there is a sequence without that
value present, not when the sequence is not there at all.

Nevertheless, irrespective of that interpreation, for TLS1.3 an empty
DER encoding means nothing of that as these parameters are negotiated
over TLS (e.g, rsa_pss_sha256). See:
https://tools.ietf.org/html/draft-ietf-tls-tls13-21#section-4.2.3

On whether empty parameters are allowed on RSA-PSS certificates,
RFC4055 is clear on that:
"CAs MAY require that the parameters be present in the
publicKeyAlgorithms field for end-entity certificates."

https://tools.ietf.org/html/rfc4055#section-3

regards,
Nikos

v2.23.0 | Report a Bug | By Email