Ilari Liusvaara wrote: > Martin Rex wrote: >> Ilari Liusvaara wrote: > >>> Then there's also similar problems with RSA. And then RSA PKCS #1 >>> v1.5 encryption is on just about every "do not use!" list. Get it >>> wrong (good luck getting it right) and it is game over. >> >> Getting PKCS#1 v1.5 right is fairly easy, and requiring it should go into >> TLS 1.2LTS as well. How to do it right for signatures has been >> described in PKCS#1 v2.0 (rfc2437, Oct-1998, Section 8.1.2) already, > > I was talking about encryption, not signatures. Those are used by > TLS_RSA_WITH_* ciphersuites. The encrpytion is very broken, the > signatures are at most slightly such.
Encryption is a public key operation. Maybe you're thinking of *de*cryption instead (aka Bleichenbacher)? AFAIK, the Bleichenbacher countermeasure uses the fact that RSA is homomorphic to multiplication. Decoding the PKCS#1 v1.2 Blocktype 02 padding of the decrypted RSA premaster secret in constant time does also not require rocket science. But it seems sufficiently non-obvious that example code might help. > > (And those lists of crypto algorithms don't list RSA PKCS #1 v1.5 > signatures the same as encryption). > >>>> - promise to support a certain small subset of EC curves >>>> and uncompressed point format whenever ClientHello includes >>>> ECDHE cipher suites (but may omit TLS extensions). >>> >>> You have EC formats extension already. >> >> rfc4492 is severly broken, in that it specifies that a ClientHello >> without the two TLS EC extensions indicates that the client supports >> *EVERYTHING* in the rfc4492 spec (rather than a reasonable default >> subset). I hope that the IESG does not let such obvious breakage >> enter the standards track. > > Does RFC4492bis fix that? rfc4492bis can not fix that, unless a new signal is added that clients can include in ClientHello and that enables servers to distinguish rfc4492 peers from rfc4492bis peers. -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
