Re: [TLS] Remove signature algorithms from cipher suites in 1.3

Russ Housley <housley@vigilsec.com> Tue, 30 December 2014 18:36 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB5711A1A20 for <tls@ietfa.amsl.com>; Tue, 30 Dec 2014 10:36:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.701
X-Spam-Level:
X-Spam-Status: No, score=-99.701 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ukqng7cTHlUv for <tls@ietfa.amsl.com>; Tue, 30 Dec 2014 10:36:15 -0800 (PST)
Received: from odin.smetech.net (x-bolt-wan.smeinc.net [209.135.219.146]) by ietfa.amsl.com (Postfix) with ESMTP id C2B4B1A1A0C for <tls@ietf.org>; Tue, 30 Dec 2014 10:36:15 -0800 (PST)
Received: from localhost (unknown [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id 292B89A4006; Tue, 30 Dec 2014 13:36:05 -0500 (EST)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id CouQcTuJAgsm; Tue, 30 Dec 2014 13:35:42 -0500 (EST)
Received: from [192.168.2.100] (pool-71-163-125-120.washdc.fios.verizon.net [71.163.125.120]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 86E259A4005; Tue, 30 Dec 2014 13:35:42 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset=us-ascii
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <20141225212141.61122705@pc>
Date: Tue, 30 Dec 2014 13:35:31 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <4DDA505A-DC75-480E-88A3-216CDE9AE033@vigilsec.com>
References: <5498DBCE.1070909@delignat-lavaud.fr> <20141223102635.3bda9ed2@pc> <54995163.7070004@delignat-lavaud.fr> <20141225212141.61122705@pc>
To: =?iso-8859-1?Q?Hanno_B=F6ck?= <hanno@hboeck.de>
X-Mailer: Apple Mail (2.1085)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/q7OxrSDJLBLPxsi5Qgz7oXSAbJY
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Remove signature algorithms from cipher suites in 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Dec 2014 18:36:16 -0000

Hanno:

> But my point remains: Why not just say "TLS 1.3 has to use RSA with
> PSS, mo more PKCS #1 1.5"?

I am not aware of any "real" risk of new attacks on RSA signatures enabled by using the same key pair for both PKCS #1 v1.5 and PSS.  The good structure in PSS would probably meant that the security wouldn't get any worse by allowing PSS signatures than with PKCS #1 v1.5 alone.

That said, I believe that the PSS security proof makes the assumption that the key is only used with PSS.  The proof would probably need some modification to allow for the possibility that some signatures would be computed with PKCS #1 v1.5 and others with PSS.  Does anyone know of work on this topic?

Russ