Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

Tony Arcieri wrote: > > It's also worth noting that BERserk is one of many such incidents of this > coming up in practice: > https://cryptosense.com/why-pkcs1v1-5-signature-should-also-be-put-out-of-our-misery/ With the PKCS#1 v1.5 signature verification operation, as described in PKCS#1 v2.0

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

It's also worth noting that BERserk is one of many such incidents of this coming up in practice: https://cryptosense.com/why-pkcs1v1-5-signature-should-also-be-put-out-of-our-misery/ On Tue, Aug 9, 2016 at 2:13 PM, Tony Arcieri wrote: > On Tue, Aug 9, 2016 at 7:16 AM, Martin

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

On Tue, Aug 9, 2016 at 7:16 AM, Martin Rex wrote: > BERserk is an implementation defect, not a crypto weakness. > Hence why I phrased the question the way I did. Per Izu, Shimoyama, and Takenaka 2006, PKCS#1 v1.5 has sharp edges which implementers must avoid (of course, the same

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

Tony Arcieri wrote: [ Charset UTF-8 unsupported, converting... ] > On Monday, August 8, 2016, Martin Rex wrote: > > > > The urban myth about the advantages of the RSA-PSS signature scheme > > over PKCS#1 v1.5 keep coming up. > > Do you think we'll see real-world MitM attacks

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

On Monday, August 8, 2016, Martin Rex wrote: > > The urban myth about the advantages of the RSA-PSS signature scheme > over PKCS#1 v1.5 keep coming up. > Do you think we'll see real-world MitM attacks against RSA-PSS in TLS similar to those we've seen with PKCS#1v1.5 signature

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

Martin Rex wrote: > The urban myth about the advantages of the RSA-PSS signature scheme > over PKCS#1 v1.5 keep coming up. PKCS#1 v1.5 is a partial-domain scheme, not a full-domain scheme. So, RSA-PSS (without a salt, or with a fixed salt) might still have an advantage over PKCS#1

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

> Is that limited, so limited today? Aren't we at a time where the majority of > servers will use an HSM (either real hardware or virtualized)? Without even defining "virtualized HSM" the answer is no. ___ TLS mailing list TLS@ietf.org

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

On Mon, 2016-08-08 at 14:55 +0200, Martin Rex wrote: > > Please see the paper "Another Look at ``Provable Security''" from > > Neal > > Koblitz and Alfred Menezes. > > > > https://eprint.iacr.org/2004/152 > > > > Section 7: Conclusion > > > > "There is no need for the PSS or Katz-Wang versions

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

Hanno Böck wrote: > > Actually there is some info on that in the PSS spec [1]. What I write > here is my limited understanding, but roughly I'd interpret it as this: > It says that if you use a non-random salt the security gets reduced to > the security of full domain hashing, which was kinda the

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

Rene Struik wrote: > The papers [1] and [2] may be of interest here. In [2], Section 3.3, Alfred > Menezes and Neil Koblitz compare FDH-hash RSA signatures, PSS (lots of > randomness in the salt), and a scheme by Wang and Katz that only contains > one bit of randomness with

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

Hi Hanno: The papers [1] and [2] may be of interest here. In [2], Section 3.3, Alfred Menezes and Neil Koblitz compare FDH-hash RSA signatures, PSS (lots of randomness in the salt), and a scheme by Wang and Katz that only contains one bit of randomness with signing and is claimed to have

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

Hi, On Sat, 6 Aug 2016 18:54:56 -1000 Brian Smith wrote: > Also, I think it would be great if people working on proofs of > security for TLS could take into consideration the fact that > some--perhaps many--implementations will intentionally or accidentally > use some form

[TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

The current draft says "It is RECOMMENDED that implementations implement 'deterministic ECDSA' as specified in [RFC6979]." The current draft also says, regarding RSA-PSS signatures: "When used in signed TLS handshake messages, the length of the salt MUST be equal to the length of the digest