Re: [TLS] Case for negotiation of PKCS#1.5 RSASSA-PKCS1-v1_5 in TLS 1.3
Andrey Jivsov <crypto@brainhub.org> Tue, 26 January 2016 03:33 UTC
Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40B301B2D6D for <tls@ietfa.amsl.com>; Mon, 25 Jan 2016 19:33:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.301
X-Spam-Level:
X-Spam-Status: No, score=-1.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, J_CHICKENPOX_34=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Kn-CWlacsyK for <tls@ietfa.amsl.com>; Mon, 25 Jan 2016 19:33:05 -0800 (PST)
Received: from resqmta-po-10v.sys.comcast.net (resqmta-po-10v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:169]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29DD31B2D68 for <tls@ietf.org>; Mon, 25 Jan 2016 19:32:59 -0800 (PST)
Received: from resomta-po-13v.sys.comcast.net ([96.114.154.237]) by resqmta-po-10v.sys.comcast.net with comcast id ATYs1s00157bBgG01TYztC; Tue, 26 Jan 2016 03:32:59 +0000
Received: from [192.168.2.3] ([76.103.100.237]) by resomta-po-13v.sys.comcast.net with comcast id ATYx1s00D57Jnqc01TYyvs; Tue, 26 Jan 2016 03:32:59 +0000
From: Andrey Jivsov <crypto@brainhub.org>
To: tls@ietf.org
References: <56A192FC.4060206@brainhub.org> <35455210.tz7m1zDUF6@pintsize.usersys.redhat.com> <56A64D5E.7090104@akamai.com> <3922672.SasYckhRS6@pintsize.usersys.redhat.com> <275D7C71-340A-448D-B0FA-1250AD06AED6@vigilsec.com>
Message-ID: <56A6E8E9.8090902@brainhub.org>
Date: Mon, 25 Jan 2016 19:32:57 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <275D7C71-340A-448D-B0FA-1250AD06AED6@vigilsec.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1453779179; bh=SMlVU7eDAb0D5hUcM6x3IfOLXzoqROAWMPnwQESHF14=; h=Received:Received:From:Subject:To:Message-ID:Date:MIME-Version: Content-Type; b=BcDPJGQhyHoOFaYxhy+JgqaCed1pQOZjxRlkKT5VJe4W88FnZwV/5vK2m5Zyg8JW3 lObOcoEmX6E0AUAatPyzrIoEYGIxgukQ5VA4wk0oW+ErrjF+cmr6dEnSMAfdjHGI4H knS/dkI9vfOannPmA+tGZnUVYPqOKKkCC56ywJl18BaGozcG+0ypt6x3DPqbQI6MQ1 iSQOBahiLBgxIjtp0VjbJYu516H9F2BDF8mLPGXqb/C37gflDByScHWAzLY98eXeFl yRKXfoXSP0wsiGbe3bNmQMBRo5IIdzPs/gtRcW0QWk+jeavN46wYKysp7wRafIq9+/ y3J7mbzgfgi+g==
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/stBeOMcZgRgjpiRRe4NelP49WME>
Subject: Re: [TLS] Case for negotiation of PKCS#1.5 RSASSA-PKCS1-v1_5 in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2016 03:33:07 -0000
On 01/25/2016 03:11 PM, Russ Housley wrote:
> On Jan 25, 2016, at 2:43 PM, Hubert Kario wrote:
>
>> On Monday 25 January 2016 10:29:18 Benjamin Kaduk wrote:
>>> On 01/22/2016 01:14 PM, Hubert Kario wrote:
>>>> On Friday 22 January 2016 10:39:26 Andrey Jivsov wrote:
>>>>> On 01/22/2016 03:14 AM, Hubert Kario wrote:
>>>>>>> The only solution that's available at this point is conditioning
>>>>>>> TLS
>>>>>>> 1.3 support on appropriate hardware. For this reason TLS 1.3 it
>>>>>>> probably won't be enabled by default in the product I work on. I
>>>>>>> would prefer for TLS 1.3 to be enabled by default and write the
>>>>>>> code
>>>>>>> to decide whether it does PSS or falls back to RSA PKCS1 1.5.
>>>>>> Yes, it would be nice. But PKCS#1 v1.5 had it long coming. Not
>>>>>> cutting it off now would be negligent.
>>>>> You mean for HS only, while leaving it for X.509 certs?
>>>> If we don't do it for HS in TLS first, we'll never get rid of it in
>>>> X.509 certs.
>>>>
>>>> We need to start somewhere, and it's more reasonable to expect that
>>>> hardware with support for new protocols will get updated for RSA-PSS
>>>> handling than that libraries and hardware will suddenly start
>>>> implementing it in droves just in anticipation of the time when CAs
>>>> _maybe_ will start issuing certificates signed with RSA-PSS.
>>> Isn't it more a matter of TLS being a consumer of external PKIX
>>> infrastructure, the web PKI, etc.? They are out of the reach of the
>>> IETF TLS working group; any requirements we attempted to impose would
>>> be unenforceable, even if there was an Internet Police (which there
>>> is not).
>> TLS will happily use PKCS#1 v1.5 signed X.509 certificates, so how
>> exactly is creating a side effect of increasing the deployment rate of
>> RSA-PSS _in TLS implementations_ an "overreach"?!
> I have been a supporter of PSS for a very long time -- see RFC 4055.
>
> We have many algorithm transition issues, but this is one place where we have seen very little progress. I would like to see support for PSS in the protocol, even if we need to support PKCS v1.5 for certificate signatures for a long time.
Is there evidence that hard-wiring {PSS} in HS and {PSS, PKCS#1 1.5}
with X.509 certs will lead to better PSS adoption than if {PSS, PKCS#1
1.5} were available in both HS and X.509 certs?
This should be balanced against the reality that PSS in HS with TLS 1.3
guarantees lower TLS 1.3 adoption as I wrote above. PSS-only in TLS 1.3
HS may make code more complex as well.
I am trying to imagine a logic that a TLS 1.3 client supporting
smartcard client authentiation would need to implement, assuming
mandatory PSS signing in HS, e.g. a case of Firefox + PKCS#11 interface
with a smartcard.
First, the code should query (attached? logged-in?) smartcard(s) to
determine if the key(s) on the smartcard that might be used for client
authentication can do PSS signing. PKCS#11 interface lists the PSS
capability as CKM_SHA256_RSA_PKCS_PSS mechanism. If no such PSS+hash
mechanism is available, the code needs to tag the keys(s) as TLS
1.2-only. When the client connects to a TLS 1.3 server and the server
requests client authentication with the non-PSS key, I think this will
require protocol dance down to TLS 1.2 (insecure TLS fallback).
Alternatively, the client will need to start from TLS 1.2 when it
detected such a smartcard, for any server.
The underlying reasons why CAs can't sign with PSS v.s. TLS server or
client are probably overlapping in many cases: FIPS 140, HSM, hardware.
The all-or-nothing approach to PSS sin HS eems inconsistent with
traditional feature negotiation in TLS HS.
> Russ
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
- [TLS] Case for negotiation of PKCS#1.5 RSASSA-PKC… Andrey Jivsov
- Re: [TLS] Case for negotiation of PKCS#1.5 RSASSA… Hubert Kario
- Re: [TLS] Case for negotiation of PKCS#1.5 RSASSA… Andrey Jivsov
- Re: [TLS] Case for negotiation of PKCS#1.5 RSASSA… Hubert Kario
- Re: [TLS] Case for negotiation of PKCS#1.5 RSASSA… Benjamin Kaduk
- Re: [TLS] Case for negotiation of PKCS#1.5 RSASSA… Sean Turner
- Re: [TLS] Case for negotiation of PKCS#1.5 RSASSA… Hubert Kario
- Re: [TLS] Case for negotiation of PKCS#1.5 RSASSA… Russ Housley
- Re: [TLS] Case for negotiation of PKCS#1.5 RSASSA… Andrey Jivsov
- Re: [TLS] Case for negotiation of PKCS#1.5 RSASSA… Hubert Kario
- Re: [TLS] Case for negotiation of PKCS#1.5 RSASSA… Benjamin Kaduk