Tony Arcieri wrote:
>
> It's also worth noting that BERserk is one of many such incidents of this
> coming up in practice:
> https://cryptosense.com/why-pkcs1v1-5-signature-should-also-be-put-out-of-our-misery/
With the PKCS#1 v1.5 signature verification operation,
as described in PKCS#1 v2.0
It's also worth noting that BERserk is one of many such incidents of this
coming up in practice:
https://cryptosense.com/why-pkcs1v1-5-signature-should-also-be-put-out-of-our-misery/
On Tue, Aug 9, 2016 at 2:13 PM, Tony Arcieri wrote:
> On Tue, Aug 9, 2016 at 7:16 AM, Martin
On Tue, Aug 9, 2016 at 7:16 AM, Martin Rex wrote:
> BERserk is an implementation defect, not a crypto weakness.
>
Hence why I phrased the question the way I did. Per Izu, Shimoyama, and
Takenaka 2006, PKCS#1 v1.5 has sharp edges which implementers must avoid
(of course, the same
Tony Arcieri wrote:
[ Charset UTF-8 unsupported, converting... ]
> On Monday, August 8, 2016, Martin Rex wrote:
> >
> > The urban myth about the advantages of the RSA-PSS signature scheme
> > over PKCS#1 v1.5 keep coming up.
>
> Do you think we'll see real-world MitM attacks
On Monday, August 8, 2016, Martin Rex wrote:
>
> The urban myth about the advantages of the RSA-PSS signature scheme
> over PKCS#1 v1.5 keep coming up.
>
Do you think we'll see real-world MitM attacks against RSA-PSS in TLS
similar to those we've seen with PKCS#1v1.5 signature
Martin Rex wrote:
> The urban myth about the advantages of the RSA-PSS signature scheme
> over PKCS#1 v1.5 keep coming up.
PKCS#1 v1.5 is a partial-domain scheme, not a full-domain scheme. So,
RSA-PSS (without a salt, or with a fixed salt) might still have an
advantage over PKCS#1
> Is that limited, so limited today? Aren't we at a time where the majority of
> servers will use an HSM (either real hardware or virtualized)?
Without even defining "virtualized HSM" the answer is no.
___
TLS mailing list
TLS@ietf.org
On Mon, 2016-08-08 at 14:55 +0200, Martin Rex wrote:
> > Please see the paper "Another Look at ``Provable Security''" from
> > Neal
> > Koblitz and Alfred Menezes.
> >
> > https://eprint.iacr.org/2004/152
> >
> > Section 7: Conclusion
> >
> > "There is no need for the PSS or Katz-Wang versions
Hanno Böck wrote:
>
> Actually there is some info on that in the PSS spec [1]. What I write
> here is my limited understanding, but roughly I'd interpret it as this:
> It says that if you use a non-random salt the security gets reduced to
> the security of full domain hashing, which was kinda the
Rene Struik wrote:
> The papers [1] and [2] may be of interest here. In [2], Section 3.3, Alfred
> Menezes and Neil Koblitz compare FDH-hash RSA signatures, PSS (lots of
> randomness in the salt), and a scheme by Wang and Katz that only contains
> one bit of randomness with
Hi Hanno:
The papers [1] and [2] may be of interest here. In [2], Section 3.3,
Alfred Menezes and Neil Koblitz compare FDH-hash RSA signatures, PSS
(lots of randomness in the salt), and a scheme by Wang and Katz that
only contains one bit of randomness with signing and is claimed to have
Hi,
On Sat, 6 Aug 2016 18:54:56 -1000
Brian Smith wrote:
> Also, I think it would be great if people working on proofs of
> security for TLS could take into consideration the fact that
> some--perhaps many--implementations will intentionally or accidentally
> use some form
The current draft says "It is RECOMMENDED that implementations
implement 'deterministic ECDSA' as specified in [RFC6979]." The
current draft also says, regarding RSA-PSS signatures: "When used in
signed TLS handshake messages, the length of the salt MUST be equal to
the length of the digest
13 matches
Mail list logo