Tony Arcieri wrote:
>
> It's also worth noting that BERserk is one of many such incidents of this
> coming up in practice:
> https://cryptosense.com/why-pkcs1v1-5-signature-should-also-be-put-out-of-our-misery/
With the PKCS#1 v1.5 signature verification operation,
as described in PKCS#1 v2.0 (rfc
It's also worth noting that BERserk is one of many such incidents of this
coming up in practice:
https://cryptosense.com/why-pkcs1v1-5-signature-should-also-be-put-out-of-our-misery/
On Tue, Aug 9, 2016 at 2:13 PM, Tony Arcieri wrote:
> On Tue, Aug 9, 2016 at 7:16 AM, Martin Rex wrote:
>
>> BER
On Tue, Aug 9, 2016 at 7:16 AM, Martin Rex wrote:
> BERserk is an implementation defect, not a crypto weakness.
>
Hence why I phrased the question the way I did. Per Izu, Shimoyama, and
Takenaka 2006, PKCS#1 v1.5 has sharp edges which implementers must avoid
(of course, the same can be said of B
Tony Arcieri wrote:
[ Charset UTF-8 unsupported, converting... ]
> On Monday, August 8, 2016, Martin Rex wrote:
> >
> > The urban myth about the advantages of the RSA-PSS signature scheme
> > over PKCS#1 v1.5 keep coming up.
>
> Do you think we'll see real-world MitM attacks against RSA-PSS in TL
Tony Arcieri writes:
>Do you think we'll see real-world MitM attacks against RSA-PSS in TLS similar
>to those we've seen with PKCS#1v1.5 signature forgery, such as BERserk?
Not BERserk specifically because that was an attack on the ASN.1, not the
signature format. OTOH PSS doesn't encode the ha
On Monday, August 8, 2016, Martin Rex wrote:
>
> The urban myth about the advantages of the RSA-PSS signature scheme
> over PKCS#1 v1.5 keep coming up.
>
Do you think we'll see real-world MitM attacks against RSA-PSS in TLS
similar to those we've seen with PKCS#1v1.5 signature forgery, such as
BE
Martin Rex wrote:
> The urban myth about the advantages of the RSA-PSS signature scheme
> over PKCS#1 v1.5 keep coming up.
PKCS#1 v1.5 is a partial-domain scheme, not a full-domain scheme. So,
RSA-PSS (without a salt, or with a fixed salt) might still have an
advantage over PKCS#1 v1.5 because it
> Is that limited, so limited today? Aren't we at a time where the majority of
> servers will use an HSM (either real hardware or virtualized)?
Without even defining "virtualized HSM" the answer is no.
___
TLS mailing list
TLS@ietf.org
https://www.iet
On Mon, 2016-08-08 at 14:55 +0200, Martin Rex wrote:
> > Please see the paper "Another Look at ``Provable Security''" from
> > Neal
> > Koblitz and Alfred Menezes.
> >
> > https://eprint.iacr.org/2004/152
> >
> > Section 7: Conclusion
> >
> > "There is no need for the PSS or Katz-Wang versions
Hanno Böck wrote:
>
> Actually there is some info on that in the PSS spec [1]. What I write
> here is my limited understanding, but roughly I'd interpret it as this:
> It says that if you use a non-random salt the security gets reduced to
> the security of full domain hashing, which was kinda the
Rene Struik wrote:
> The papers [1] and [2] may be of interest here. In [2], Section 3.3, Alfred
> Menezes and Neil Koblitz compare FDH-hash RSA signatures, PSS (lots of
> randomness in the salt), and a scheme by Wang and Katz that only contains
> one bit of randomness with signing and is claimed
Hi Hanno:
The papers [1] and [2] may be of interest here. In [2], Section 3.3,
Alfred Menezes and Neil Koblitz compare FDH-hash RSA signatures, PSS
(lots of randomness in the salt), and a scheme by Wang and Katz that
only contains one bit of randomness with signing and is claimed to have
tigh
Hi,
On Sat, 6 Aug 2016 18:54:56 -1000
Brian Smith wrote:
> Also, I think it would be great if people working on proofs of
> security for TLS could take into consideration the fact that
> some--perhaps many--implementations will intentionally or accidentally
> use some form of deterministic or le
The current draft says "It is RECOMMENDED that implementations
implement 'deterministic ECDSA' as specified in [RFC6979]." The
current draft also says, regarding RSA-PSS signatures: "When used in
signed TLS handshake messages, the length of the salt MUST be equal to
the length of the digest output.
14 matches
Mail list logo
