Tony Arcieri <basc...@gmail.com> writes: >Do you think we'll see real-world MitM attacks against RSA-PSS in TLS similar >to those we've seen with PKCS#1v1.5 signature forgery, such as BERserk?
Not BERserk specifically because that was an attack on the ASN.1, not the signature format. OTOH PSS doesn't encode the hash algorithm as 1.5 does, so here's a much simpler attack: Take a breakable hash function with an output the same size as the one used in the sig, generate your collision, and paste the sig onto colliding data, indicating the use of the breakable function not the one used to generate the original sig. Done. Couldn't happen with 1.5 because that encodes the details of the hash function used as part of the signature. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
