Re: [TLS] RSA-PSS in TLS 1.3

Alyssa Rowan <akr@akr.io> Tue, 01 March 2016 18:23 UTC

Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76EA91B34EB for <tls@ietfa.amsl.com>; Tue, 1 Mar 2016 10:23:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XCmlFyw5YgFy for <tls@ietfa.amsl.com>; Tue, 1 Mar 2016 10:23:23 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4119B1B3434 for <tls@ietf.org>; Tue, 1 Mar 2016 10:23:22 -0800 (PST)
To: tls@ietf.org
References: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com> <56D4ABAD.90902@brainhub.org> <20160229233617.5466ebd3@pc1> <56D51FFB.9050909@brainhub.org> <DE710794-CA42-48E1-9AB9-A2BE2899E071@gmail.com>
From: Alyssa Rowan <akr@akr.io>
Message-ID: <56D5DE1D.3000708@akr.io>
Date: Tue, 1 Mar 2016 18:23:25 +0000
MIME-Version: 1.0
In-Reply-To: <DE710794-CA42-48E1-9AB9-A2BE2899E071@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/zSwZva3xERkFfvJ9m_RjSSE-7Lo>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2016 18:23:25 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-03-01 11:35, Yoav Nir wrote:

>>> [HB] We have an RFC for PSS since 2003. We had several attacks 
>>> showing the weakness of PKCS #1 1.5.

And so (maybe not entirely coincidentally!): another attack, dubbed
DROWN, just emerged¹, using SSLv2 as - you guessed it - a
Bleichenbacher padding oracle against RSA PKCS#1 v1.5!

(Please do stop me if you've heard this one before! <g>)

>> [AJ] Why not ban PKCS #1.5 altogether from TLS 1.3? It will not 
>> only make TLS 1.3 more secure, but code simpler and footprint 
>> smaller. Besides, it's reasonable: TLS 1.2 already allows PSS in 
>> X.509

A very strong +1 as far as I'm concerned.

> [YN] It would be cool to ban PKCS#1.5 from certificates, but we
> are not the PKIX working group. Nor are we the CA/Browser forum.
> When a CA issues a certificate it has to work with every client
> and server out there, When we use TLS 1.3, the other side supports
> TLS 1.3 as well, so it’s fair to assume that it knows PSS.

Perhaps the PKIX working group and CAB/Forum could both use a friendly
reminder not to ignore how perilous using RSA PKCS#1 v1.5 still remains?
___
[1] <https://drownattack.com/drown-attack-paper.pdf>

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJW1d4SAAoJEOyEjtkWi2t6kIQP/2Ziaeu2RGqHqV1Oa6dB0+Go
iPbrrHe9C7l7yHxWfhur6ldGUnqAKyzhD5X0RHby0lbpXTcBFQjWPQ3shZE8CUV2
mM4N2UyoAu5w1kOkSvHImeWrtdOPDTBTZhwFJjzEHtLkri6+CXzKE82B94WfhX8/
ddQxg9uaV7eDEcW4um+vn0NG/+IuiJvfVTX7YtNj0yVSvEO7bm6/WRHsWV0FaQ+C
HtNawk+KP966PLUPH1N6vBvhNpiZkMtv3QUsKbzAQDn8SPfXHWGy2CBxPLjtIv2w
dTmY9dOxJsc7KswtM7DJQqx7azgeGAlLc8MV1PyXw1fIq2qtVI4Fk1+DNrMteC5B
cNkez/nPwR01FFj3QV5OnbpcqIX1v9nmGrpDuFw+99xcMjgRrSRc3boclV8/H0PA
k8XllkgmXj75TkqSkPV1YXVwOJAT65Uwke7tKHf4TwXSwz+qZVji+y8ZqZ7ACs2/
Pp3IrlNLuJUmFjE+p8zhhEQU6fQjEdkAxT/3KY8/1nKxlXByFVHu1p1jZk7aWBtw
aSEDLCI4XKKAJ118yXRtHXxA7LGNujsBYCoSp1A4Rkce57Ea7iuVd4pmctbMgiTA
g3UAb7cE4NflzRyQd1Gbycu6wenovj9bOD4HRdTuADRdfGpXv8HMEG+eOUuE7DHx
Af4y+IDpfW7HTraWjiKX
=iX03
-----END PGP SIGNATURE-----