On Wed, Mar 16, 2016 at 5:36 AM, Peter Gutmann
<[email protected]> wrote:
> After a number of, uh, gentle reminders from people who have been waiting for
> this, I've finally got around to posting the TLS-LTS draft I mentioned a while
> back. It's now available as:
>
> http://www.ietf.org/id/draft-gutmann-tls-lts-00.txt
Section 3.4. "Implementation Issues" says:
TLS-LTS requires that RSA signature verification be done as encode-
then-compare, which fixes all known padding-manipulation issues:
o TLS-LTS implementations MUST verify RSA signatures by using
encode-then-compare, meaning that they encode the expected
signature result and perform a constant-time compare against the
recovered signature data.
This is the procedure specified in PKCS #1 v2.1 (RFC 3447), Section
8.2.2, with the additional requirement that the comparison in Step 4
be constant-time, right?
https://tools.ietf.org/html/rfc3447#section-8.2.2
and the alternative procedure outlined in the Note at the end of that
section shall not be used?
Note. Another way to implement the signature verification operation
is to apply a "decoding" operation (not specified in this document)
to the encoded message to recover the underlying hash value, and then
to compare it to a newly computed hash value. This has the advantage
that it requires less intermediate storage (two hash values rather
than two encoded messages), but the disadvantage that it requires
additional code.
Thanks,
Wan-Teh Chang
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
