Hi Paul On Mon, May 08, 2017 at 12:46:21PM -0400, Paul Wouters wrote: > Not only that, but the reason specified is to bump RSA from > RSASSA-PKCS1-v1_5 to RSASSA-PSS. As far as I know, the security > issues of RSASSA-PKCS1-v1_5 are that when using it to _encrypt_ > bogus data, it can be used as an oracle to obtain private key > bits. That means there is no on-the-wire security issue with > RSASSA-PKCS1-v1_5 for Digital Signatures. And if HSMs are used > to protect access to private keys, those keys should be marked > as "signing only keys" to avoid exposing the private key via this > attack if the machine with the HSM is compromised.
It isn't that the RSASSA-PKCS1-v1_5 signature scheme is currently broken. Revision 00 of the draft had used the RSASSA-PKCS1-v1_5 scheme to make it easier for implementations, and so I was defending it among colleagues at first. However, RSASSA-PSS is a more robust signature scheme with a more exact proof of security. We evaluated our choice and switched to that for use with SHA-3 in revision 01 after it was pointed out on this list. See "The Exact Security of Digital Signatures - How to Sign with RSA and Rabin", Bellare and Rogaway for why it is an improvement (vs. FDH). http://web.cs.ucdavis.edu/~rogaway/papers/exact.pdf One nusiance of PSS is that it uses entropy during signing (a salt value per signature) that may make it inconvenient for signing in environments without an entropy source. However it is possible to to create signatures with a non-random salt (so it was made a "SHOULD" in the draft) with equivalent security to FDH. With the random salt, it is a far more robust scheme for RSA signatures. RSASSA-PKCS1-v1_5 is no longer allowed for new application due to its lack of exact security. I'll reply to the other comments soon. Mukund _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
