On Tue, Mar 01, 2016 at 10:26:35AM -0800, Watson Ladd wrote:
> > And so (maybe not entirely coincidentally!): another attack, dubbed
> > DROWN, just emerged¹, using SSLv2 as - you guessed it - a
> > Bleichenbacher padding oracle against RSA PKCS#1 v1.5!
>
> PSS doesn't help against Bleichenbacher attacks on encryption. The attack
> still can compute a private key operation.
Yes, fortunately TLS 1.3 eliminates RSA key transport. Otherwise,
for key transport we'd want OAEP rather than PSS.
Still, even though DROWN does not attack RSA signatures, we cannot
say that ongoing use of PKCS#1 v1.5 signatures is particularly
wise.
http://www.automatednetworkedstorage.biz/emc-plus/rsa-labs/historical/raising-standard-rsa-signatures-rsa-pss.htm
Burt Kaliski, RSA Laboratories
February 26, 2003
Executive Summary
RSA-PSS is a new signature scheme that is based on the RSA
cryptosystem and provides increased security assurance. It was
added in version 2.1 of PKCS #1.
While the traditional and widely deployed PKCS #1 v1.5 signature
scheme is still appropriate to use, RSA Laboratories encourages
a gradual transition to RSA-PSS as new
applications are developed.
So the question is how "gradual" we want the transition to be. If
v1.5 is negotiable, in TLS 1.3, we're looking at another decade or
two, perhaps by then QC will make RSA obsolete?
--
Viktor.
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
