Hi, On Sat, 6 Aug 2016 18:54:56 -1000 Brian Smith <br...@briansmith.org> wrote:
> Also, I think it would be great if people working on proofs of > security for TLS could take into consideration the fact that > some--perhaps many--implementations will intentionally or accidentally > use some form of deterministic or less-than-random salt generation for > RSA-PSS. For example, it would be great to see a "What if the salt(s) > in the RSA PSS signature(s) were generated deterministically?" section > of papers describing such proofs. Actually there is some info on that in the PSS spec [1]. What I write here is my limited understanding, but roughly I'd interpret it as this: It says that if you use a non-random salt the security gets reduced to the security of full domain hashing, which was kinda the predecessor of PSS. I'd conclude from that that even in a situation where the salt generation is a non-random value nothing really bad happens. The security of a PSS scheme without randomness is still better than that of a PKCS #1 1.5 signature. Maybe some more knowledgable people want to add something, but the bottom line is I think that we don't need to worry too much about the randomness part here. Unlike with other situations (e.g. ecdsa/dsa) the randomness is not a piece that once you take it away everything blows up. [1] https://tools.ietf.org/html/rfc3447 -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
pgpOIJowXJU0B.pgp
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
