Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

Andrey Jivsov <crypto@brainhub.org> Tue, 29 May 2018 21:19 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9373412E054 for <tls@ietfa.amsl.com>; Tue, 29 May 2018 14:19:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=brainhub-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0cw6mWaiWK9d for <tls@ietfa.amsl.com>; Tue, 29 May 2018 14:19:24 -0700 (PDT)
Received: from mail-pl0-x236.google.com (mail-pl0-x236.google.com [IPv6:2607:f8b0:400e:c01::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ADE112DA6A for <tls@ietf.org>; Tue, 29 May 2018 14:19:24 -0700 (PDT)
Received: by mail-pl0-x236.google.com with SMTP id 30-v6so9674821pld.13 for <tls@ietf.org>; Tue, 29 May 2018 14:19:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brainhub-org.20150623.gappssmtp.com; s=20150623; h=sender:subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=GC5hq0Cqoer7K+6xwHxeJLE+QOosCfTP+EOv5nmMReY=; b=l2YEDMCWQHMwE6Z4XTEso2a7OOm2zEHZQdeYDyxaxMl9mECkxGmgQcQsctKjEJC/nS l4Z9WOdKF76QCgoIrg6wUzBhLzpO+dxLL1kUM0iw2z1Sxk9lVapWNt8npg77z9fK8DDE J5YfgEURdwWdJkBzrETh6o4UKsxzZLk4Df/GrYDonSLVJj1wZqV/BzppGoBFRpfxPTM3 8R/xGcL6zE5tBqZ63NFTz0awJaE8z9Dm9+/XfPyljQPbq99m4X8KbE3/u03yLx6MCq2D bnucT1+1EzuHdY8wa8MGoXlKc0NpdDiJgmM2qsGiRspk+5yqGcmF+mAA3F4gurTmA8+3 SxpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:to:cc:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=GC5hq0Cqoer7K+6xwHxeJLE+QOosCfTP+EOv5nmMReY=; b=Cbupgen4d4RUjflrRDuBzFNGmXI3oHufxGukqXFyunl4uEeHf/Cj13N1kKS5Zyx/Pw u2H5zxiKDZxGG4hPlOMVZwZ30CPuNPtGueS9SJ/wk77ktWv9/leY80ZcOLYBBfFPV0No SS+C5sV17S59lBVjzNqnS/5xR8yq1JFfd/RIGNGuh9z862qrJ5jctv3Zxyjkoypqubyl 35rWig1gtOs+44knukmK/rbuLDFhZW2y9oQQEHYj5XbbS7E8fu/CgUgnbhEegaUnUIa4 O9tjo30t3mEaXka/aIHEhJPeL2740K0waLSP1XjxfmplhaEV6Hv7he6SrhqFIjkl1UQ7 wdxQ==
X-Gm-Message-State: ALKqPwchVsOMvpE7V0r6j5YNZ2RL/TmYUUcrVz2mQqTX75Yii083wlaC 868sFauMoe+czZuz9t2Y4LJe0s6F
X-Google-Smtp-Source: ADUXVKKOU2E6r/dOPZ2pplu/3/0sVgfIi1gvw2EIdY1t9ZrFodYSuk9MA8B8wUSL1rLCYDZJNd5FpQ==
X-Received: by 2002:a17:902:9a4c:: with SMTP id x12-v6mr55805plv.213.1527628763285; Tue, 29 May 2018 14:19:23 -0700 (PDT)
Received: from [192.168.86.104] ([104.219.107.83]) by smtp.googlemail.com with ESMTPSA id q69-v6sm23013260pfl.16.2018.05.29.14.19.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 29 May 2018 14:19:22 -0700 (PDT)
Sender: Andrey <andrey@brainhub.org>
To: David Benjamin <davidben@chromium.org>
Cc: Benjamin Kaduk <bkaduk@akamai.com>, "tls@ietf.org" <tls@ietf.org>
References: <a96fb90a-5533-6fc9-4473-fa2e5d0ac131@brainhub.org> <20180529191319.GJ13834@akamai.com> <2f30d9d5-17a0-4a83-ab2d-bfd399c73fd2@brainhub.org> <20180529194251.GK13834@akamai.com> <50f2f097-d8b0-334d-e1b2-1ea34fff9d29@brainhub.org> <CAF8qwaAZOZs__81Q2zvreM-X-t07G80V-4t1NKgZCWiP5yD-Yg@mail.gmail.com> <d8b6f651-f5ac-a16e-db81-91812e483f72@brainhub.org> <CAF8qwaB_LoPAvz41k0_+FANnrAznzTHE9h4dhq5SKP+mkiL0jg@mail.gmail.com>
From: Andrey Jivsov <crypto@brainhub.org>
Message-ID: <7c503b05-1c33-7c94-d79f-b7feb2d8c145@brainhub.org>
Date: Tue, 29 May 2018 14:19:21 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <CAF8qwaB_LoPAvz41k0_+FANnrAznzTHE9h4dhq5SKP+mkiL0jg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tztIlVNb2EcQfqGl5ZMidXk2G9w>
Subject: Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 May 2018 21:19:28 -0000

On 05/29/2018 01:58 PM, David Benjamin wrote:
> On Tue, May 29, 2018 at 4:26 PM Andrey Jivsov <crypto@brainhub.org
> <mailto:crypto@brainhub.org>> wrote:
> 
>     On 05/29/2018 01:07 PM, David Benjamin wrote:
>     > I'm not sure I follow this. So, in this scenario, you are the client.
>     > You wish to support TLS 1.3, which requires supporting RSA-PSS in TLS
>     > 1.3, and this is fine. You are able to verify RSA-PSS signatures from
>     > the server at TLS 1.3.
>     >
>     > At the same time, you still talk to some TLS 1.2 servers, so you
>     may get
>     > a response from them. As TLS 1.2 and TLS 1.3 use the same signature
>     > algorithms negotiation, that same ClientHello obligates your client
>     > (newly updated to support TLS 1.3) to also verify RSA-PSS signatures
>     > from TLS 1.2. But this causes troubles somehow.
>     >
>     > I'm confused how a client would have an RSA-PSS function available at
>     > one version, but not the other. Or am I misunderstanding your
>     situation?
> 
>     There is a need to upgrade TLS 1.2 stack, just because one can now
>     negotiate TLS 1.3.
> 
> 
> I think this came up on the list earlier which way to go here, and folks
> seemed to generally prefer this one. In our implementation, we unified
> the TLS 1.2 and TLS 1.3 signature logic which made things simpler
> overall. I think this was true for most folks.
>  
> 
>     Does this "upgrade" to TLS 1.2 extends to client authentication? Then
>     this adds more work.
> 
> 
>     There can be a performance penalty with RSA-PSS v.s. RSA legacy and more
>     issues when private keys are used in client authentication (because e.g.
>     they are HSM keys).
> 
> 
> The client authentication scenario seems unrelated to me. In both TLS
> 1.2 and TLS 1.3, there is no relation between the client's advertised
> signature algorithm list (which is the algorithms it will *accept* from
> the server) and the client's signing preferences (which control the
> CertificateVerify it will *send*). The latter is never even sent over
> the wire.
> 
> As a client, you get to choose which signature algorithm you use.
> Offering RSA-PSS to the server for its TLS 1.2 ServerKeyExchange does
> not obligate you to select it in your TLS 1.2 CertificateVerify. You
> select out of what the server offered in CertificateRequest. This code
> point allocation means the server *may* offer RSA-PSS and you *may*
> select it if offered. But if that is difficult for whatever reason, you
> also can still select PKCS#1 if the server offers it. (Of course, the
> server may offer you only things you can't handle, but that's not a new
> concern.)

OK. We don't know, though, what will happen in practice with TLS 1.2
CertificateRequest if the server upgraded TLS 1.2 ServerKeyExchange.
Will it be more likely that the choices in CertificateRequest will be
narrower?

> 
> Chrome does just that. Our verify preferences include RSA-PSS, but our
> signing preferences when configured for client certificates are
> separate, precisely because of issues with smartcards and the like.
> 
> As for the performance penalty, I think it was clearly the WG's
> consensus that the benefits of migrating to PSS outweighed the entropy
> draw and hash operations that PSS takes.

The issue here is that some hardware devices don't implement RSA CRT
method with PSS, because they hard-wide RSA, legacy padding, and CRT
method in one operation. RSA PSS can still be done, but only via a
general modexp operation, which will be ~2x shower. Therefore, in these
scenarios PSS incurs 2x performance penalty.

( Maybe RSA verification should be done on CPU, but this will require
changes to TLS 1.2 code. )

The limitations are similar to what you wrote about smartcards. There
are some odd hardware limitations. That hardware was just fine years ago
with TLS 1.2.

Higher entropy consumption is negligible here.

>  
> 
>     >
>     > On Tue, May 29, 2018 at 4:05 PM Andrey Jivsov <crypto@brainhub.org
>     <mailto:crypto@brainhub.org>
>     > <mailto:crypto@brainhub.org <mailto:crypto@brainhub.org>>> wrote:
>     >
>     >     On 05/29/2018 12:42 PM, Benjamin Kaduk wrote:
>     >     > On Tue, May 29, 2018 at 12:35:20PM -0700, Andrey Jivsov wrote:
>     >     >> On 05/29/2018 12:13 PM, Benjamin Kaduk wrote:
>     >     >>> On Tue, May 29, 2018 at 11:57:39AM -0700, Andrey Jivsov wrote:
>     >     >>>> Greetings.
>     >     >>>>
>     >     >>>> TLS 1.3 draft in sec 4.2.3.  Signature Algorithms tells
>     that if
>     >     a client
>     >     >>>> wants to negotiate TLS 1.3, it must support an upgraded (and
>     >     >>>> incompatible) version of TLS 1.2, the one that changes
>     RFC 5246
>     >     to allow
>     >     >>>> RSA-PSS in sec. 7.4.1.4.1. Signature Algorithms.
>     >     >>>>
>     >     >>>> You might recall that the possibility to negotiate
>     between PSS and
>     >     >>>> RSASSA-PKCS1-v1_5 in TLS 1.3 handshake, just as it is allowed
>     >     for X.509
>     >     >>>> signatures, was discussed on the mailing list. The WG
>     decision
>     >     then was
>     >     >>>> to hard-wire PSS in the TLS 1.3 handshake.
>     >     >>>>
>     >     >>>> I don't recall any discussion on going further than this, all
>     >     the way to
>     >     >>>> changing the 10-year old TLS 1.2.
>     >     >>>>
>     >     >>>> Unfortunately, our products have issues with PSS beyond our
>     >     control. The
>     >     >>>> only solution left to avoid receiving PSS with TLS 1.2 is
>     to never
>     >     >>>> negotiate TLS 1.3 as a client. Another solution is insecure
>     >     fallback,
>     >     >>>> but we presently don't do this.
>     >     >>>>
>     >     >>>> Is my reading of the situation correct? Thank you.
>     >     >>>
>     >     >>> Sounds like it:
>     >     >>>
>     >     >>>    RSASSA-PKCS1-v1_5 algorithms  Indicates a signature
>     algorithm
>     >     using
>     >     >>>       RSASSA-PKCS1-v1_5 [RFC8017] with the corresponding hash
>     >     algorithm
>     >     >>>       as defined in [SHS].  These values refer solely to
>     signatures
>     >     >>>       which appear in certificates (see Section 4.4.2.2)
>     and are not
>     >     >>>       defined for use in signed TLS handshake messages,
>     although
>     >     they
>     >     >>>       MAY appear in "signature_algorithms" and
>     >     >>>       "signature_algorithms_cert" for backward compatibility
>     >     with TLS
>     >     >>>       1.2,
>     >     >>>
>     >     >>> -Ben
>     >     >>>
>     >     >>
>     >     >> I was referring to
>     >     >>>
>     >     >>>    -  Implementations that advertise support for RSASSA-PSS
>     >     (which is
>     >     >>>       mandatory in TLS 1.3), MUST be prepared to accept a
>     signature
>     >     >>>       using that scheme even when TLS 1.2 is negotiated. 
>     In TLS
>     >     1.2,
>     >     >>>       RSASSA-PSS is used with RSA cipher suites.
>     >     >>
>     >     >> I am OK with what you quoted. What I just quoted represents a
>     >     >> significant change in behavior in TLS 1.2 and there is no
>     way to
>     >     opt out
>     >     >> of this change to TLS 1.2.
>     >     >
>     >     > Ah, I misread your original message, but all is clear now.
>     >     >
>     >     >> I will add that I've seen this behavior by servers already,
>     even when
>     >     >> client doesn't advertise TLS 1.3. Just the fact of
>     including some
>     >     08 xx
>     >     >> IDs in signature_algorithms in ClientHello, without
>     protocol_version
>     >     >> extension, gets the TLS 1.2 upgraded to RSA-PSS.
>     >     >>
>     >     >> IMO this paragraph should be removed. Those that want PSS
>     in the
>     >     >> handshake should negotiate TLS 1.3. Preservation of current
>     >     behavior of
>     >     >> TLS 1.2 is important, at least as an option.
>     >     >
>     >     > First off, it's basically too late to make substantive changes
>     >     like that;
>     >     > the bar to meet is something like "a huge outcry from
>     deployments" or
>     >     > "a critical security flaw".
>     >     >
>     >     > Second, what's going on here is that TLS 1.3 is defining
>     some new
>     >     signature
>     >     > algorithms for TLS messages, and making them mandatory to
>     support
>     >     for TLS 1.3.
>     >     > But negotiation of TLS signature algorithms has *always* been
>     >     independent of
>     >     > protocol version.  If you support TLS 1.3, you also support the
>     >     new signature
>     >     > algorithms; if you support TLS 1.3 and TLS 1.2, you support the
>     >     new signature
>     >     > algorithms and you support TLS 1.2, therefore by the
>     longstanding
>     >     negotiation
>     >     > rules you are obligated to support the combination.  You are in
>     >     effect proposing
>     >     > that we make a break in the signature (and hash) algorithm space
>     >     with individual
>     >     > algorithms supported either in <=1.2 or >=1.3, but not both
>     -- we
>     >     did this for
>     >     > ciphersuites since we fundamentally changed the meaning of
>     what a
>     >     ciphersuite is.
>     >     > But the signature scheme does not seem to have undergone such a
>     >     fundamental change,
>     >     > so it seems hard to justify introducing this sort of split.
>     >     >
>     >     > -Ben
>     >     >
>     >
>     >     We are talking about TLS 1.3-specific IDs:
>     >
>     >              /* RSASSA-PSS algorithms with public key OID
>     rsaEncryption */
>     >               rsa_pss_rsae_sha256(0x0804),
>     >               rsa_pss_rsae_sha384(0x0805),
>     >               rsa_pss_rsae_sha512(0x0806)
>     >
>     >     In TLS 1.2 08 corresponds to the (undefined) hash algorithm,
>     and thus
>     >     these IDs have no meaning to TLS 1.2.
>     >
>     >     TLS 1.3 spec purposely "split" these IDs so that they have no
>     meaning to
>     >     TLS 1.2 servers. One needs the paragraph I quoted to force
>     >     implementations to change the behavior of TLS 1.2.
>     >
>     >     What's the harm of dropping this one paragraph I quoted and
>     keeping TLS
>     >     1.2 behavior the same?
>     >
>     >     _______________________________________________
>     >     TLS mailing list
>     >     TLS@ietf.org <mailto:TLS@ietf.org> <mailto:TLS@ietf.org
>     <mailto:TLS@ietf.org>>
>     >     https://www.ietf.org/mailman/listinfo/tls
>     >
>