IETF Logo Mail Archive

Re: [TLS] TLS RSA-PSS and various versions of TLS

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 26 April 2017 13:42 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DB7F128799 for <tls@ietfa.amsl.com>; Wed, 26 Apr 2017 06:42:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MlMbaP7KT6Xd for <tls@ietfa.amsl.com>; Wed, 26 Apr 2017 06:42:17 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id 8A75D129BAA for <tls@ietf.org>; Wed, 26 Apr 2017 06:41:44 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 0F39940673; Wed, 26 Apr 2017 16:41:43 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id CqQy-E978yo6; Wed, 26 Apr 2017 16:41:42 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id B6FDCC4; Wed, 26 Apr 2017 16:41:42 +0300 (EEST)
Date: Wed, 26 Apr 2017 16:41:40 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Martin Rex <mrex@sap.com>
Cc: Dr Stephen Henson <lists@drh-consultancy.co.uk>, tls@ietf.org
Message-ID: <20170426134140.GA29859@LK-Perkele-V2.elisa-laajakaista.fi>
References: <926e3b6b-5f0c-e00a-5ba3-9a2cfcdc4e8f@drh-consultancy.co.uk> <20170426132358.06FA71A698@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <20170426132358.06FA71A698@ld9781.wdf.sap.corp>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/z9bH6UEU2GjwF_TQmwYbgchsOys>
Subject: Re: [TLS] TLS RSA-PSS and various versions of TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 13:42:19 -0000

On Wed, Apr 26, 2017 at 03:23:57PM +0200, Martin Rex wrote:
> 
> Signatures on certificates are created by CAs, rather than TLS endpoints,
> so any implementation that uses TLS protocol parameters (about TLS signature
> algorithms) for more than a mere cert selection hint, is actively creating
> interop problems while providing *NO* value.  Many TLS peers will have
> just one suitable certificate anyway, so not even looking at certificate
> signatures will be the easiest to implement, most robust and perfectly secure
> behaviour anyway.

What my implementation does with certificate signatures:
- There actually are signature algorithms with no known TLS code, e.g.
  ECDSA-SHA3 signatures. These are known but can not be advertised.
- The built-in server-side certificate selection code never selects
  certificate containing algorithm client didn't advertise.
- The server side certificate chain checking interlocks on unknown
  signature algorithms, but not unadvertised signature algorithms. So
  custom certificate selector can overrule the client advertisment, but
  not known algorithm check.
- On client side, all known algorithms (other than PKCS#1/SHA-1, which
  is treated specially) are treated as valid for certificates. Advertised
  or not. All others are just ignored (which violates a MUST in spec)
  and path building never builds through those..
- Regarding RSA-PSS, only the 3 variants that TLS defines are supported).


> The issue with RSA-PSS digital signatures is that they were defined
> with additional (unnecessary) parameters that are encoded (=hidden) in the
> ASN.1 AlgorithmIdentifier, and that are therefore unspecified when
> RSA-PSS is requested as (rsa-pss,sha-256) rather than with an ASN.1
> AlgorithmIdentifier.

TLS 1.3 specifies what values those parameters have for various
SignatureSchemes.
 
> The additional, unnecessary parameters are "saltLen" and
> "MaskGenerationFunction" (MGF), and the commonly-used MaskGenerationFunction
> (mgf1) adds yet another additional, unnecessary parameter (MGF-internal hash).

Also specified.

> In theory there is another additional, unnecessary parameter "TrailerField",
> which appears in the ASN.1 AlgorithmIdentifier parameter list (and in the
> XMLdsig encoding for RSA-PSS), but PKCS#1 v2.1 (rfc3447) essentially
> hardwires the Trailerfield to option TrailerfieldBC(1), internal value 0xbc.

So this also counts as specified.

> 
> The definition of "implied" RSA-PSS parameters applies only to the
> "digitally-signed" signature blobs using inside the TLS protocol
> because these do not come with an ASN.1 AlgorithmIdentifier tag.
> The implied RSA-PSS paramters for TLS' digitally-signed are unrelated
> to RSA-PSS signatures on certificates (certificates come with explicit
> RSA-PSS parameters encoded in an ASN.1 AlgorithmIdentifer):
> 
>    Certificate  ::=  SEQUENCE  {
>         tbsCertificate       TBSCertificate,
>         signatureAlgorithm   AlgorithmIdentifier,
>         signatureValue       BIT STRING  }
> 
> The original RSA-PSS AlgorithmIdentifer specification also defines
> a hierarchical policy concept, that is supposed to limit the kinds
> of signatures that can be created (verified) with a so-tagged public
> RSA key, and this policy is supposed to work/apply from the RootCA cert
> *downwards* to the leaf / end-entity cert.

I don't think it appiles that way, only per-key.

ExtendedKeyUsage is *not* supposed to be hierarchial, but doesn't
prevent many libraries from handling it that way.

> It seems silly trying to apply implied RSA-PSS parameter selections
> from the digitally-signed TLS protocol transform to the signature
> on the TLS end-entity cert (or worse, even to certs up the cert chain),
> because that would be the wrong/invalid direction.

The SignatureScheme selections only mean those schemes are supported,
not that other RSA-PSS schemes can't be supported in CA signatures
(however, there is no way to advertise those).

> What should be spelled out, whether and how any RSA-PSS policy in the
> subjectPublicKeyInfo AlgorithmIdentifier of the end-entity certificate
> interacts with implied RSA-PSS parameters used by the TLS digitally-signed
> transform.  In any case, the decision whether to accept a certificate
> should be _with_the_receiver_ (verifier / RP), and *NEVER* with the sender.

AFAIK, the only place there is any impiled interaction is when the end-
entity key is RSA-PSS-only. And there the rules are usual matching rules
versus the key.



-Ilari

v2.23.0 | Report a Bug | By Email