Re: [TLS] RSA-PSS in TLS 1.3

On Wednesday, July 6, 2016, Andrey Jivsov wrote: > Was it really the consensus that the group didn't want to allow PKCS-1.5 > negotiated for handshake signatures (for certificate verifies)? > Based on my read of this thread: yes. The consensus seems to be to disallow PKCS #1 signatures in TLS 1.

Re: [TLS] RSA-PSS in TLS 1.3

On 07/06/2016 10:23 AM, Joseph Salowey wrote: > I don't think we ever call consensus on this topic. It looks like there > is rough consensus to move forward with RSA-PSS as the MUST implement > algorithm for certificate verify in TLS 1.3 and not allow PKCS-1.5. > During the discussion it also se

Re: [TLS] RSA-PSS in TLS 1.3

I support a MUST for RSA_PSS for certificate verify, and it does seem like a good idea to be algorithm agile. Russ On Jul 6, 2016, at 1:23 PM, Joseph Salowey wrote: > I don't think we ever call consensus on this topic. It looks like there is > rough consensus to move forward with RSA-PSS as

Re: [TLS] RSA-PSS in TLS 1.3

I don't think we ever call consensus on this topic. It looks like there is rough consensus to move forward with RSA-PSS as the MUST implement algorithm for certificate verify in TLS 1.3 and not allow PKCS-1.5. During the discussion it also seemed that it is realistic that we may want to add additi

Re: [TLS] RSA-PSS in TLS 1.3

On Tuesday 08 March 2016 18:41:32 Viktor Dukhovni wrote: > On Tue, Mar 08, 2016 at 07:24:37PM +0100, Hubert Kario wrote: > > No, I said that we have no reason to believe that quantum computers > > won't follow exponential increase in number of qbits they can > > handle, > > with the highest increas

Re: [TLS] RSA-PSS in TLS 1.3

On Tue, Mar 08, 2016 at 07:24:37PM +0100, Hubert Kario wrote: > No, I said that we have no reason to believe that quantum computers > won't follow exponential increase in number of qbits they can handle, > with the highest increase not exceeding doubling every year, but more > likely doubling e

Re: [TLS] RSA-PSS in TLS 1.3

ck; Blumenthal, > > Uri - 0553 - MITLL > > Subject: Re: [TLS] RSA-PSS in TLS 1.3 > > > > On Monday 07 March 2016 15:23:17 Scott Fluhrer wrote: > > > > > > > In 2001, a Quantum Computer factored a 4 bit number. In 2014, > > > the > >

Re: [TLS] RSA-PSS in TLS 1.3

> -Original Message- > From: Hubert Kario [mailto:hka...@redhat.com] > Sent: Monday, March 07, 2016 12:18 PM > To: Scott Fluhrer (sfluhrer) > Cc: tls@ietf.org; Nikos Mavrogiannopoulos; Hanno Böck; Blumenthal, Uri - > 0553 - MITLL > Subject: Re: [TLS] RSA-PSS in TLS

Re: [TLS] RSA-PSS in TLS 1.3

On Mon, Mar 7, 2016 at 8:34 AM, Scott Fluhrer (sfluhrer) wrote: > Defenses against the first type of attack (passive evesdropping by someone > who will build a QC sometime in the future) are something that this WG > should address; even if the PKI people don't have an answer, we would at > least

Re: [TLS] RSA-PSS in TLS 1.3

ck; > > Blumenthal, Uri - 0553 - MITLL > > Subject: Re: [TLS] RSA-PSS in TLS 1.3 > > > > On Friday 04 March 2016 13:49:11 Scott Fluhrer wrote: > > > > > > -Original Message- > > > > From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Nik

Re: [TLS] RSA-PSS in TLS 1.3

From: Tony Arcieri [mailto:basc...@gmail.com] Sent: Monday, March 07, 2016 11:40 AM To: Scott Fluhrer (sfluhrer) Cc: Nikos Mavrogiannopoulos; Hanno Böck; Blumenthal, Uri - 0553 - MITLL; tls@ietf.org Subject: Re: [TLS] RSA-PSS in TLS 1.3 On Mon, Mar 7, 2016 at 8:34 AM, Scott Fluhrer (sfluhrer

Re: [TLS] RSA-PSS in TLS 1.3

> -Original Message- > From: Nikos Mavrogiannopoulos [mailto:n...@redhat.com] > Sent: Monday, March 07, 2016 8:42 AM > To: Scott Fluhrer (sfluhrer); Hanno Böck; Blumenthal, Uri - 0553 - MITLL; > tls@ietf.org > Subject: Re: [TLS] RSA-PSS in TLS 1.3 > > On Fri, 2

Re: [TLS] RSA-PSS in TLS 1.3

On Mon, Mar 07, 2016 at 01:51:41PM +, Hannes Mehnert wrote: > On 01/03/2016 11:32, Yoav Nir wrote: > >> On 1 Mar 2016, at 6:56 AM, Martin Thomson wrote: > >> > >> On 1 March 2016 at 04:32, Joseph Salowey wrote: > >>> We make RSA-PSS mandatory to implement (MUST implement instead of MUST > >>>

Re: [TLS] RSA-PSS in TLS 1.3

> -Original Message- > From: Hubert Kario [mailto:hka...@redhat.com] > Sent: Monday, March 07, 2016 6:43 AM > To: tls@ietf.org > Cc: Scott Fluhrer (sfluhrer); Nikos Mavrogiannopoulos; Hanno Böck; > Blumenthal, Uri - 0553 - MITLL > Subject: Re: [TLS] RSA-PSS in TLS

Re: [TLS] RSA-PSS in TLS 1.3

On 01/03/2016 11:32, Yoav Nir wrote: >> On 1 Mar 2016, at 6:56 AM, Martin Thomson wrote: >> >> On 1 March 2016 at 04:32, Joseph Salowey wrote: >>> We make RSA-PSS mandatory to implement (MUST implement instead of MUST >>> offer). Clients can advertise support for PKCS-1.5 for backwards >>> comp

Re: [TLS] RSA-PSS in TLS 1.3

On Fri, 2016-03-04 at 13:49 +, Scott Fluhrer (sfluhrer) wrote: > Given that there probably is no long term future for RSA anyway > > > (people want ECC and postquantum is ahead) I doubt anything else > > > than > > > the primitives we already have in standards will ever be viable. > > On the co

Re: [TLS] RSA-PSS in TLS 1.3

ietf.org > > Subject: Re: [TLS] RSA-PSS in TLS 1.3 > > > > On Thu, 2016-03-03 at 17:11 +0100, Hanno Böck wrote: > > > > > It may be worth asking the authors what's their opinion of FDH vs > > > > > > > PSS > > > >

Re: [TLS] RSA-PSS in TLS 1.3

Fedor Brunner wrote: > > Please see the paper "Another Look at ``Provable Security''" from Neal > Koblitz and Alfred Menezes. > > https://eprint.iacr.org/2004/152 > > Section 7: Conclusion > > "There is no need for the PSS or Katz-Wang versions of RSA; > one might as well use just the basic ?ha

Re: [TLS] RSA-PSS in TLS 1.3

Hanno Böck: > On Thu, 3 Mar 2016 13:35:46 + > "Dang, Quynh (Fed)" wrote: > >> Why don't we use an even more elegant RSA signature called " >> full-domain hash RSA signature" ? > > Full Domain Hashing was originally developed by Rogaway and Bellare and > then later dismissed because they foun

Re: [TLS] RSA-PSS in TLS 1.3

Hanno Böck wrote: > m...@sap.com (Martin Rex) wrote: >> >> The *huge* advantage of PKCS#1 v1.5 signatures over RSA-PSS and ECDSA >> signatures is that one can clearly distinguish "wrong public key" >> from "signature does not fit plaintext" errors, and loosing this >> capability makes certain kinds

Re: [TLS] RSA-PSS in TLS 1.3

On Fri, 4 Mar 2016 14:45:13 +0100 (CET) m...@sap.com (Martin Rex) wrote: > What should have adopted for TLSv1.2 already, however, is the less > forgiving PKCS#1 v1.5 signature check, that re-creates the encoding > and then compares the recreated inner encoding with the RSA-decrypted > encoding onl

Re: [TLS] RSA-PSS in TLS 1.3

> -Original Message- > From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Nikos > Mavrogiannopoulos > Sent: Friday, March 04, 2016 3:10 AM > To: Hanno Böck; Blumenthal, Uri - 0553 - MITLL; tls@ietf.org > Subject: Re: [TLS] RSA-PSS in TLS 1.3 > > On Thu, 2

Re: [TLS] RSA-PSS in TLS 1.3

Hanno Böck wrote: > Joseph Salowey wrote: >> >> We make RSA-PSS mandatory to implement (MUST implement instead of MUST >> offer). Clients can advertise support for PKCS-1.5 for backwards >> compatibility in the transition period. >> Please respond on the list on whether you think this is a reas

Re: [TLS] RSA-PSS in TLS 1.3

On Thu, 2016-03-03 at 17:11 +0100, Hanno Böck wrote: > It may be worth asking the authors what's their opinion of FDH vs > > PSS > > in view of the state of the art *today*. > You may do that, but I doubt that changes much. > > I think FDH really is not an option at all here. It may very well be >

Re: [TLS] RSA-PSS in TLS 1.3

Subject: Re: [TLS] RSA-PSS in TLS 1.3 On Thu, 3 Mar 2016 15:29:37 + "Blumenthal, Uri - 0553 - MITLL" wrote: > Also, wasn't PSS ‎developed before SHA3 and SHAKE were known, let > alone available? Yeah, more than 10 years before. It's more the other way found: P

Re: [TLS] RSA-PSS in TLS 1.3

On Thu, 3 Mar 2016 15:29:37 + "Blumenthal, Uri - 0553 - MITLL" wrote: > Also, wasn't PSS ‎developed before SHA3 and SHAKE were known, let > alone available?  Yeah, more than 10 years before. It's more the other way found: PSS and other constructions showed the need for hash functions with a

Re: [TLS] RSA-PSS in TLS 1.3

al Message   From: Dang, Quynh (Fed) Sent: Thursday, March 3, 2016 09:21 To: Hanno Böck; tls@ietf.org Subject: Re: [TLS] RSA-PSS in TLS 1.3 Hi Hanno, I think the PSS uses a random salt to get the hashing probabilistic. A customized version of a SHAKE can/may take a domain-separation string or/and

Re: [TLS] RSA-PSS in TLS 1.3

AM To: tls@ietf.org Subject: Re: [TLS] RSA-PSS in TLS 1.3 On Thu, 3 Mar 2016 13:35:46 + "Dang, Quynh (Fed)" wrote: > Why don't we use an even more elegant RSA signature called " > full-domain hash RSA signature" ? Full Domain Hashing was originally developed

Re: [TLS] RSA-PSS in TLS 1.3

On Thu, 3 Mar 2016 13:35:46 + "Dang, Quynh (Fed)" wrote: > Why don't we use an even more elegant RSA signature called " > full-domain hash RSA signature" ? Full Domain Hashing was originally developed by Rogaway and Bellare and then later dismissed because they found that they could do bette

Re: [TLS] RSA-PSS in TLS 1.3

hich avoids any potential issues with the paddings and the signature algorithm would be very simple. Regards, Quynh. From: TLS on behalf of Dave Garrett Sent: Wednesday, March 2, 2016 4:16 PM To: tls@ietf.org Subject: Re: [TLS] RSA-PSS in TLS 1.3 On Wedn

Re: [TLS] RSA-PSS in TLS 1.3

On Wednesday, March 02, 2016 01:57:48 am Viktor Dukhovni wrote: > adaptive attacks are I think a greater potential > threat against interactive TLS than against a bunch of CA-authored > bits at rest. +1 ___ TLS mailing list TLS@ietf.org https://www.ietf

Re: [TLS] RSA-PSS in TLS 1.3

> On 2 Mar 2016, at 5:57 PM, Eric Rescorla wrote: > > > > On Wed, Mar 2, 2016 at 1:25 AM, Yoav Nir > wrote: > > > On 2 Mar 2016, at 11:16 AM, Rob Stradling > > wrote: > > > > On 02/03/16 09:10, Rob Stradling wrote: > > > >>> Neit

Re: [TLS] RSA-PSS in TLS 1.3

On Wed, Mar 2, 2016 at 1:25 AM, Yoav Nir wrote: > > > On 2 Mar 2016, at 11:16 AM, Rob Stradling > wrote: > > > > On 02/03/16 09:10, Rob Stradling wrote: > > > >>> Neither you nor I can post in any of the CA/Browser forum’s lists, > >>> because neither of us has either a browser or a public CA.

Re: [TLS] RSA-PSS in TLS 1.3

> On 2 Mar 2016, at 11:16 AM, Rob Stradling wrote: > > On 02/03/16 09:10, Rob Stradling wrote: > >>> Neither you nor I can post in any of the CA/Browser forum’s lists, >>> because neither of us has either a browser or a public CA. >>> >>> There are some people who are active there and are read

Re: [TLS] RSA-PSS in TLS 1.3

On 02/03/16 09:10, Rob Stradling wrote: Neither you nor I can post in any of the CA/Browser forum’s lists, because neither of us has either a browser or a public CA. There are some people who are active there and are reading this list, so they might take such a proposal there. I’m not very opti

Re: [TLS] RSA-PSS in TLS 1.3

On 01/03/16 19:20, Yoav Nir wrote: On 1 Mar 2016, at 8:23 PM, Alyssa Rowan wrote: When a CA issues a certificate it has to work with every client and server out there, That doesn't have to be true. For example, many OpenSSL-based servers can be configured to serve an ECC certificate to T

Re: [TLS] RSA-PSS in TLS 1.3

On Wed, Mar 02, 2016 at 08:37:46AM +0200, Yoav Nir wrote: > Because this is a particular field that we control. Which is in itself a reasonable argument for leaving legacy behind, ... but also because adaptive attacks are I think a greater potential threat against interactive TLS than against a

Re: [TLS] RSA-PSS in TLS 1.3

> On 2 Mar 2016, at 3:03 AM, Andrey Jivsov wrote: > > On 03/01/2016 11:20 AM, Yoav Nir wrote: >> >> On 1 Mar 2016, at 8:23 PM, Alyssa Rowan wrote: >> [YN] It would be cool to ban PKCS#1.5 from certificates, but we are not the PKIX working group. Nor are we the CA/Browser forum.

Re: [TLS] RSA-PSS in TLS 1.3

On 03/01/2016 11:20 AM, Yoav Nir wrote: On 1 Mar 2016, at 8:23 PM, Alyssa Rowan wrote: [YN] It would be cool to ban PKCS#1.5 from certificates, but we are not the PKIX working group. Nor are we the CA/Browser forum. When a CA issues a certificate it has to work with every client and server ou

Re: [TLS] RSA-PSS in TLS 1.3

On 2 March 2016 at 05:38, Viktor Dukhovni wrote: > Yes, fortunately TLS 1.3 eliminates RSA key transport. It does not. It just doesn't *use* RSA key transport. That's the unfortunate part. Hence the call for key separation. ___ TLS mailing list TLS@

Re: [TLS] RSA-PSS in TLS 1.3

On Tue, 1 Mar 2016 18:23:25 + Alyssa Rowan wrote: > And so (maybe not entirely coincidentally!): another attack, dubbed > DROWN, just emerged¹, using SSLv2 as - you guessed it - a > Bleichenbacher padding oracle against RSA PKCS#1 v1.5! To be fair, the issues surrounding RSA encryption are d

Re: [TLS] RSA-PSS in TLS 1.3

On 1 Mar 2016, at 8:23 PM, Alyssa Rowan wrote: > > [YN] It would be cool to ban PKCS#1.5 from certificates, but we > > are not the PKIX working group. Nor are we the CA/Browser forum. > > When a CA issues a certificate it has to work with every client > > and server out there, When we use TLS 1.

Re: [TLS] RSA-PSS in TLS 1.3

On Tue, Mar 01, 2016 at 10:26:35AM -0800, Watson Ladd wrote: > > And so (maybe not entirely coincidentally!): another attack, dubbed > > DROWN, just emerged¹, using SSLv2 as - you guessed it - a > > Bleichenbacher padding oracle against RSA PKCS#1 v1.5! > > PSS doesn't help against Bleichenbacher

Re: [TLS] RSA-PSS in TLS 1.3

On Mar 1, 2016 10:23 AM, "Alyssa Rowan" wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-03-01 11:35, Yoav Nir wrote: > > >>> [HB] We have an RFC for PSS since 2003. We had several attacks > >>> showing the weakness of PKCS #1 1.5. > > And so (maybe not entirely coincidenta

Re: [TLS] RSA-PSS in TLS 1.3

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-03-01 11:35, Yoav Nir wrote: >>> [HB] We have an RFC for PSS since 2003. We had several attacks >>> showing the weakness of PKCS #1 1.5. And so (maybe not entirely coincidentally!): another attack, dubbed DROWN, just emerged¹, using SSLv2

Re: [TLS] RSA-PSS in TLS 1.3

> On 1 Mar 2016, at 6:52 AM, Andrey Jivsov wrote: > > On 02/29/2016 02:36 PM, Hanno Böck wrote: >> We have an RFC for PSS since 2003. >> We had several attacks showing the weakness of PKCS #1 1.5. > > In the face of such danger, what's your opinion on PKCS #1.5 signatures being > perfectly fin

Re: [TLS] RSA-PSS in TLS 1.3

> On 1 Mar 2016, at 6:56 AM, Martin Thomson wrote: > > On 1 March 2016 at 04:32, Joseph Salowey wrote: >> We make RSA-PSS mandatory to implement (MUST implement instead of MUST >> offer). Clients can advertise support for PKCS-1.5 for backwards >> compatibility in the transition period. > >>

Re: [TLS] RSA-PSS in TLS 1.3

On Mon, 2016-02-29 at 09:32 -0800, Joseph Salowey wrote: > We seem to have good consensus on moving to RSA-PSS and away from > PKCS-1.5 in TLS 1.3.  However, there is a problem that it may take > some hardware implementations some time to move to RSA-PSS.  After an > off list discussion with a few

Re: [TLS] RSA-PSS in TLS 1.3

On 1 March 2016 at 16:06, Viktor Dukhovni wrote: >> It is much easier to mandate PSS in TLS 1.3 now, than to remove it >> later. Servers that can't do PSS will use TLS 1.2. This avoids >> a break-the-web day. > > Sorry, ... than to remove *PKCS#1.5* later ... Yes, this is true for some people,

Re: [TLS] RSA-PSS in TLS 1.3

On Tue, Mar 01, 2016 at 04:59:47AM +, Viktor Dukhovni wrote: > It is much easier to mandate PSS in TLS 1.3 now, than to remove it > later. Servers that can't do PSS will use TLS 1.2. This avoids > a break-the-web day. Sorry, ... than to remove *PKCS#1.5* later ... -- Viktor.

Re: [TLS] RSA-PSS in TLS 1.3

On Tue, Mar 01, 2016 at 03:56:53PM +1100, Martin Thomson wrote: > It seems like others are taking the position that we should say "MUST > NOT use PKCS#1.5". I would love for that to be the case, but I want > to separate decision path for that, preferably one that is somewhat > under my control.

Re: [TLS] RSA-PSS in TLS 1.3

On 1 March 2016 at 04:32, Joseph Salowey wrote: > We make RSA-PSS mandatory to implement (MUST implement instead of MUST > offer). Clients can advertise support for PKCS-1.5 for backwards > compatibility in the transition period. >From my perspective, this is fine. I would like to say that we

Re: [TLS] RSA-PSS in TLS 1.3

On 02/29/2016 02:36 PM, Hanno Böck wrote: We have an RFC for PSS since 2003. We had several attacks showing the weakness of PKCS #1 1.5. In the face of such danger, what's your opinion on PKCS #1.5 signatures being perfectly fine in TLS 1.3 ? I refer to signatures in X.509 certs in the latest

Re: [TLS] RSA-PSS in TLS 1.3

On Mon, 29 Feb 2016 12:35:57 -0800 Andrey Jivsov wrote: > Without a generous advance warning about PKCS#1.5 removal by TLS 1.3, > we have to deal with already deployed hardware. Had vendors and > customers knew that TLS 1.3 will remove PKCS #1.5, we probably would > have ended up with more PSS-fr

Re: [TLS] RSA-PSS in TLS 1.3

On Monday, February 29, 2016 03:35:57 pm Andrey Jivsov wrote: > I think that supporting PKCS1.5 fallback is the right thing to do for > wider adoption of TLS 1.3, as specified above. I think it's long past the time where everyone has to acknowledge that within protocols, there's no such thing as

Re: [TLS] RSA-PSS in TLS 1.3

On 02/29/2016 09:32 AM, Joseph Salowey wrote: > We seem to have good consensus on moving to RSA-PSS and away from > PKCS-1.5 in TLS 1.3. However, there is a problem that it may take some > hardware implementations some time to move to RSA-PSS. After an off > list discussion with a few folks here

Re: [TLS] RSA-PSS in TLS 1.3

I originally was okay with the proposal, but Brian made me think about the timeline. And I liked Yoav’s sentiment ☺ RSA-PSS only for TLS 1.3 ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] RSA-PSS in TLS 1.3

On 02/29/2016 09:32 AM, Joseph Salowey wrote: We seem to have good consensus on moving to RSA-PSS and away from PKCS-1.5 in TLS 1.3. However, there is a problem that it may take some hardware implementations some time to move to RSA-PSS. After an off list discussion with a few folks here is a

Re: [TLS] RSA-PSS in TLS 1.3

Joseph Salowey wrote: > We seem to have good consensus on moving to RSA-PSS and away from PKCS-1.5 > in TLS 1.3. However, there is a problem that it may take some hardware > implementations some time to move to RSA-PSS. After an off list discussion > with a few folks here is a proposal for movi

Re: [TLS] RSA-PSS in TLS 1.3

> On 29 Feb 2016, at 8:00 PM, Hanno Böck wrote: > > On Mon, 29 Feb 2016 09:32:04 -0800 > Joseph Salowey wrote: > >> We make RSA-PSS mandatory to implement (MUST implement instead of MUST >> offer). Clients can advertise support for PKCS-1.5 for backwards >> compatibility in the transition pe

Re: [TLS] RSA-PSS in TLS 1.3

> On 29 Feb 2016, at 7:39 PM, Viktor Dukhovni wrote: > > On Mon, Feb 29, 2016 at 09:32:04AM -0800, Joseph Salowey wrote: > >> We seem to have good consensus on moving to RSA-PSS and away from PKCS-1.5 >> in TLS 1.3. However, there is a problem that it may take some hardware >> implementations

Re: [TLS] RSA-PSS in TLS 1.3

> PKCS #1 1.5 is a real problem. The last PKCS #1 1.5 signature related > vuln that could've been prevented by using RSA-PSS was found 2 months > ago [1]. The last one in a major implementation (BERserk) was in 2014. > > tl;dr: I don't think supporting PKCS #1 1.5 in TLS 1.3 is reasonable. > Let'

Re: [TLS] RSA-PSS in TLS 1.3

On Mon, 29 Feb 2016 09:32:04 -0800 Joseph Salowey wrote: > We make RSA-PSS mandatory to implement (MUST implement instead of MUST > offer). Clients can advertise support for PKCS-1.5 for backwards > compatibility in the transition period. > Please respond on the list on whether you think this i

Re: [TLS] RSA-PSS in TLS 1.3

On Mon, Feb 29, 2016 at 09:32:04AM -0800, Joseph Salowey wrote: > We seem to have good consensus on moving to RSA-PSS and away from PKCS-1.5 > in TLS 1.3. However, there is a problem that it may take some hardware > implementations some time to move to RSA-PSS. After an off list discussion > wit

[TLS] RSA-PSS in TLS 1.3

We seem to have good consensus on moving to RSA-PSS and away from PKCS-1.5 in TLS 1.3. However, there is a problem that it may take some hardware implementations some time to move to RSA-PSS. After an off list discussion with a few folks here is a proposal for moving forward. We make RSA-PSS man