Re: [TLS] RSA-PSS in TLS 1.3

Alyssa Rowan <akr@akr.io> Tue, 01 March 2016 18:23 UTC

To: tls@ietf.org
References: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com> <56D4ABAD.90902@brainhub.org> <20160229233617.5466ebd3@pc1> <56D51FFB.9050909@brainhub.org> <DE710794-CA42-48E1-9AB9-A2BE2899E071@gmail.com>
From: Alyssa Rowan <akr@akr.io>
Message-ID: <56D5DE1D.3000708@akr.io>
Date: Tue, 01 Mar 2016 18:23:25 +0000
MIME-Version: 1.0
In-Reply-To: <DE710794-CA42-48E1-9AB9-A2BE2899E071@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/zSwZva3xERkFfvJ9m_RjSSE-7Lo>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
Precedence: list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-03-01 11:35, Yoav Nir wrote:

>>> [HB] We have an RFC for PSS since 2003. We had several attacks 
>>> showing the weakness of PKCS #1 1.5.

And so (maybe not entirely coincidentally!): another attack, dubbed
DROWN, just emerged¹, using SSLv2 as - you guessed it - a
Bleichenbacher padding oracle against RSA PKCS#1 v1.5!

(Please do stop me if you've heard this one before! <g>)

>> [AJ] Why not ban PKCS #1.5 altogether from TLS 1.3? It will not 
>> only make TLS 1.3 more secure, but code simpler and footprint 
>> smaller. Besides, it's reasonable: TLS 1.2 already allows PSS in 
>> X.509

A very strong +1 as far as I'm concerned.

> [YN] It would be cool to ban PKCS#1.5 from certificates, but we
> are not the PKIX working group. Nor are we the CA/Browser forum.
> When a CA issues a certificate it has to work with every client
> and server out there, When we use TLS 1.3, the other side supports
> TLS 1.3 as well, so it’s fair to assume that it knows PSS.

Perhaps the PKIX working group and CAB/Forum could both use a friendly
reminder not to ignore how perilous using RSA PKCS#1 v1.5 still remains?
___
[1] <https://drownattack.com/drown-attack-paper.pdf>

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJW1d4SAAoJEOyEjtkWi2t6kIQP/2Ziaeu2RGqHqV1Oa6dB0+Go
iPbrrHe9C7l7yHxWfhur6ldGUnqAKyzhD5X0RHby0lbpXTcBFQjWPQ3shZE8CUV2
mM4N2UyoAu5w1kOkSvHImeWrtdOPDTBTZhwFJjzEHtLkri6+CXzKE82B94WfhX8/
ddQxg9uaV7eDEcW4um+vn0NG/+IuiJvfVTX7YtNj0yVSvEO7bm6/WRHsWV0FaQ+C
HtNawk+KP966PLUPH1N6vBvhNpiZkMtv3QUsKbzAQDn8SPfXHWGy2CBxPLjtIv2w
dTmY9dOxJsc7KswtM7DJQqx7azgeGAlLc8MV1PyXw1fIq2qtVI4Fk1+DNrMteC5B
cNkez/nPwR01FFj3QV5OnbpcqIX1v9nmGrpDuFw+99xcMjgRrSRc3boclV8/H0PA
k8XllkgmXj75TkqSkPV1YXVwOJAT65Uwke7tKHf4TwXSwz+qZVji+y8ZqZ7ACs2/
Pp3IrlNLuJUmFjE+p8zhhEQU6fQjEdkAxT/3KY8/1nKxlXByFVHu1p1jZk7aWBtw
aSEDLCI4XKKAJ118yXRtHXxA7LGNujsBYCoSp1A4Rkce57Ea7iuVd4pmctbMgiTA
g3UAb7cE4NflzRyQd1Gbycu6wenovj9bOD4HRdTuADRdfGpXv8HMEG+eOUuE7DHx
Af4y+IDpfW7HTraWjiKX
=iX03
-----END PGP SIGNATURE-----

Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
Re: [TLS] RSA-PSS in TLS 1.3 Russ Housley
Re: [TLS] RSA-PSS in TLS 1.3 Joseph Salowey
Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
[TLS] RSA-PSS in TLS 1.3 Joseph Salowey
Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
Re: [TLS] RSA-PSS in TLS 1.3 Benjamin Beurdouche
Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
Re: [TLS] RSA-PSS in TLS 1.3 Brian Smith
Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
Re: [TLS] RSA-PSS in TLS 1.3 Salz, Rich
Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
Re: [TLS] RSA-PSS in TLS 1.3 Dave Garrett
Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
Re: [TLS] RSA-PSS in TLS 1.3 Martin Thomson
Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
Re: [TLS] RSA-PSS in TLS 1.3 Martin Thomson
Re: [TLS] RSA-PSS in TLS 1.3 Nikos Mavrogiannopoulos
Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
Re: [TLS] RSA-PSS in TLS 1.3 Alyssa Rowan
Re: [TLS] RSA-PSS in TLS 1.3 Watson Ladd
Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
Re: [TLS] RSA-PSS in TLS 1.3 Martin Thomson
Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
Re: [TLS] RSA-PSS in TLS 1.3 Rob Stradling
Re: [TLS] RSA-PSS in TLS 1.3 Rob Stradling
Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
Re: [TLS] RSA-PSS in TLS 1.3 Eric Rescorla
Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
Re: [TLS] RSA-PSS in TLS 1.3 Dave Garrett
Re: [TLS] RSA-PSS in TLS 1.3 Dang, Quynh (Fed)
Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
Re: [TLS] RSA-PSS in TLS 1.3 Dang, Quynh (Fed)
Re: [TLS] RSA-PSS in TLS 1.3 Blumenthal, Uri - 0553 - MITLL
Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
Re: [TLS] RSA-PSS in TLS 1.3 Dang, Quynh (Fed)
Re: [TLS] RSA-PSS in TLS 1.3 Nikos Mavrogiannopoulos
Re: [TLS] RSA-PSS in TLS 1.3 Martin Rex
Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
Re: [TLS] RSA-PSS in TLS 1.3 Martin Rex
Re: [TLS] RSA-PSS in TLS 1.3 Fedor Brunner
Re: [TLS] RSA-PSS in TLS 1.3 Martin Rex
Re: [TLS] RSA-PSS in TLS 1.3 Hubert Kario
Re: [TLS] RSA-PSS in TLS 1.3 Nikos Mavrogiannopoulos
Re: [TLS] RSA-PSS in TLS 1.3 Hannes Mehnert
Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
Re: [TLS] RSA-PSS in TLS 1.3 Ilari Liusvaara
Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
Re: [TLS] RSA-PSS in TLS 1.3 Hubert Kario
Re: [TLS] RSA-PSS in TLS 1.3 Tony Arcieri
[TLS] (TLS1.3 - algorithm agility support is enou… Rene Struik
Re: [TLS] (TLS1.3 - algorithm agility support is … Blumenthal, Uri - 0553 - MITLL
Re: [TLS] (TLS1.3 - algorithm agility support is … Scott Fluhrer (sfluhrer)
Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
Re: [TLS] RSA-PSS in TLS 1.3 Hubert Kario
Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
Re: [TLS] RSA-PSS in TLS 1.3 Hubert Kario
Re: [TLS] RSA-PSS in TLS 1.3 Tony Arcieri