Re: [TLS] Using RSA PSS in TLS
Hanno Böck <hanno@hboeck.de> Thu, 15 January 2015 00:28 UTC
Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F7CA1B2A8B for <tls@ietfa.amsl.com>; Wed, 14 Jan 2015 16:28:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kChgSQgK-wxD for <tls@ietfa.amsl.com>; Wed, 14 Jan 2015 16:28:20 -0800 (PST)
Received: from zucker2.schokokeks.org (zucker2.schokokeks.org [178.63.68.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDC131B2A87 for <tls@ietf.org>; Wed, 14 Jan 2015 16:28:19 -0800 (PST)
Received: from pc (ip5b400166.dynamic.kabel-deutschland.de [::ffff:91.64.1.102]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 128bits, ECDHE-RSA-AES128-GCM-SHA256) by zucker.schokokeks.org with ESMTPSA; Thu, 15 Jan 2015 01:28:15 +0100 id 0000000000000058.0000000054B7099F.000077FA
Date: Thu, 15 Jan 2015 01:28:15 +0100
From: Hanno Böck <hanno@hboeck.de>
To: tls@ietf.org
Message-ID: <20150115012815.3727ae17@pc>
In-Reply-To: <54B67A19.9010507@redhat.com>
References: <525BADBD.8020007@secunet.com> <54B67A19.9010507@redhat.com>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-30714-1421281695-0001-2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/qaBgAboFh5BfoAHb8vrUHG87lNI>
Subject: Re: [TLS] Using RSA PSS in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jan 2015 00:28:22 -0000
On Wed, 14 Jan 2015 15:15:53 +0100 Florian Weimer <fweimer@redhat.com> wrote: > On 10/14/2013 10:39 AM, Johannes Merkle wrote: > > While the current discussion on this list is about ECC, I would > > like to raise the question if it were not desirable to allow usage > > of provably secure RSA-PSS signatures from PKCS#1v2.1 in TLS. > > So it seems that using RSA-PSS is difficult (although CAs could offer > to issue multiple certificates which could be switched as needed if a > server operator doesn't want to make both RSA-PSS signatures and > PKCS#1 1.5 signatures). There's nothing difficult about PSS. Sure, it is not "nice" to use the same key for PKCS #1 1.5 and 2.1. But I'm not aware of anything even close to an attack, it's "just" good cryptographic practice. Right now TLS uses the same key for encryption and signatures, which is basically the same problem. Nobody has raised this as an issue ever as far as I'm aware. We should simply switch to PSS. I plan to submit a pull request to do that as soon as I find time for it. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Santosh Chokhani
- [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Hanno Böck
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Santosh Chokhani
- Re: [TLS] Using RSA PSS in TLS Santosh Chokhani
- Re: [TLS] Using RSA PSS in TLS Rob Stradling
- Re: [TLS] Using RSA PSS in TLS Martin Rex
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Florian Weimer
- Re: [TLS] Using RSA PSS in TLS CodesInChaos
- Re: [TLS] Using RSA PSS in TLS Fedor Brunner
- Re: [TLS] Using RSA PSS in TLS Hanno Böck
- Re: [TLS] Using RSA PSS in TLS Hanno Böck
- Re: [TLS] Using RSA PSS in TLS Martin Rex
- Re: [TLS] Using RSA PSS in TLS Geoffrey Keating
- Re: [TLS] Using RSA PSS in TLS Watson Ladd
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Martin Rex
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann