IETF Logo Mail Archive

Re: [TLS] TLS 1.3 draft-07 sneak peek

mrex@sap.com (Martin Rex) Tue, 07 July 2015 13:02 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CDBF1A037F for <tls@ietfa.amsl.com>; Tue, 7 Jul 2015 06:02:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.251
X-Spam-Level:
X-Spam-Status: No, score=-6.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v4cinh361HeO for <tls@ietfa.amsl.com>; Tue, 7 Jul 2015 06:02:01 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EECA71A037E for <tls@ietf.org>; Tue, 7 Jul 2015 06:02:00 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 6D1822AAC2; Tue, 7 Jul 2015 15:01:59 +0200 (CEST)
X-purgate-ID: 152705::1436274119-00000B48-D109CCC5/0/0
X-purgate-size: 2049
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 5E1EE400A3; Tue, 7 Jul 2015 15:01:59 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 563111A1C0; Tue, 7 Jul 2015 15:01:59 +0200 (CEST)
In-Reply-To: <20150705201944.5dfce8d5@pc1>
To: Hanno Böck <hanno@hboeck.de>
Date: Tue, 07 Jul 2015 15:01:59 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20150707130159.563111A1C0@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/uzMBkwP1ieMQ5uUJBHW67mMOUYE>
Cc: tls@ietf.org
Subject: Re: [TLS] TLS 1.3 draft-07 sneak peek
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 13:02:06 -0000

Hanno Böck wrote:
> 
>> Hanno Böck wrote:
>>> On RSA there was only limited discussion, but I had the impression
>>> there is hardly an argument for not going with PSS
>> 
>> You seem to believe that RSA-PSS is better than PKCS#1 v1.5 signature
>> padding.  Could you elaborate why you believe this to be?
> 
> The most obvious reason is the Bleichenbacher signature forgery attack
> and related issues like BERserk.  I can hardly think how anything
> similar could happen with PSS.

Both are pure implementation issues, and the solution to both have been
well-known and specified several years before TLSv1.2:

http://tools.ietf.org/html/rfc3447#section-9.2

   This encoding method is deterministic and only has an encoding
   operation.

But the designers of TLSv1.2, who _newly_ added support for
BERserk-susceptible PKCS#1 v1.5 signatures failed to require
the known-safe approach.


>
> BERserk especially highlights a new problem of the old PKCS: Having a
> complex encoding (ASN.1) directly inside a cryptographic function seems
> like a bad idea.

No, BERserk highlights two other issues.  Reckless spec writers
in combination with superficial implementers.


> 
>> It was my impression that RSA-PSS adds complexity and slows down
>> things
> 
> The added complexity is limited. The performance probably is hardly
> measurable. It's a couple of added hash calculations. But if this is a
> real concern I can try to create some benchmarks.

As I've previously wrote about RSA-PSS, the real issue is not about
the transform specified in rfc3447, but about the PKIX policy crap
expected / associated with RSA-PSS, such as what rfc4055 says.

You typically have to change low-level crypto functions to be
able to pass along the crazy (and superflous) RSA-PSS algorithm
parameters around (and the parameters necessary to be able to
perform the expected policy checks).

ECDSA signatures are much easier to accomodate with existing APIs
(they have other problems).


-Martin

v2.23.0 | Report a Bug | By Email