Re: [TLS] Using RSA PSS in TLS

Hanno Böck <hanno@hboeck.de> Thu, 15 January 2015 00:28 UTC

Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F7CA1B2A8B for <tls@ietfa.amsl.com>; Wed, 14 Jan 2015 16:28:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kChgSQgK-wxD for <tls@ietfa.amsl.com>; Wed, 14 Jan 2015 16:28:20 -0800 (PST)
Received: from zucker2.schokokeks.org (zucker2.schokokeks.org [178.63.68.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDC131B2A87 for <tls@ietf.org>; Wed, 14 Jan 2015 16:28:19 -0800 (PST)
Received: from pc (ip5b400166.dynamic.kabel-deutschland.de [::ffff:91.64.1.102]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 128bits, ECDHE-RSA-AES128-GCM-SHA256) by zucker.schokokeks.org with ESMTPSA; Thu, 15 Jan 2015 01:28:15 +0100 id 0000000000000058.0000000054B7099F.000077FA
Date: Thu, 15 Jan 2015 01:28:15 +0100
From: Hanno Böck <hanno@hboeck.de>
To: tls@ietf.org
Message-ID: <20150115012815.3727ae17@pc>
In-Reply-To: <54B67A19.9010507@redhat.com>
References: <525BADBD.8020007@secunet.com> <54B67A19.9010507@redhat.com>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-30714-1421281695-0001-2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/qaBgAboFh5BfoAHb8vrUHG87lNI>
Subject: Re: [TLS] Using RSA PSS in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jan 2015 00:28:22 -0000

On Wed, 14 Jan 2015 15:15:53 +0100
Florian Weimer <fweimer@redhat.com> wrote:

> On 10/14/2013 10:39 AM, Johannes Merkle wrote:
> > While the current discussion on this list is about ECC, I would
> > like to raise the question if it were not desirable to allow usage
> > of provably secure RSA-PSS signatures from PKCS#1v2.1 in TLS.
> 
> So it seems that using RSA-PSS is difficult (although CAs could offer
> to issue multiple certificates which could be switched as needed if a 
> server operator doesn't want to make both RSA-PSS signatures and
> PKCS#1 1.5 signatures).

There's nothing difficult about PSS.
Sure, it is not "nice" to use the same key for PKCS #1 1.5 and 2.1. But
I'm not aware of anything even close to an attack, it's "just" good
cryptographic practice.

Right now TLS uses the same key for encryption and signatures, which is
basically the same problem. Nobody has raised this as an issue ever
as far as I'm aware.

We should simply switch to PSS. I plan to submit a pull request to do
that as soon as I find time for it.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42