On Fri, Dec 15, 2017 at 11:47:54AM -0500, Kathleen Moriarty wrote:
>
> Is there a reason why a migration to PCKS #1 v2.2 doesn't help for TLS
> 1.2 and prior? I haven't noticed any discussion on that previously. Is
> it just the code base and not those using it being unwilling to
> upgrade supporting libraries?
>
> >From RFC8017:
>
> To avoid implementation weaknesses related to the way errors are
> handled within the decoding operation (see [BLEICHENBACHER] and
> [MANGER]), the encoding and decoding operations for RSAES-OAEP and
> RSAES-PKCS1-v1_5 are embedded in the specifications of the respective
> encryption schemes rather than defined in separate specifications.
> Both encryption schemes are compatible with the corresponding schemes
> in PKCS #1 v2.1.
>
> And, yes, I know deprecation is very hard, but if there's been no
> effort, it should be considered as TLS 1.2 isn't going away anytime
> soon.
The problem is that handling a decryption fault in TLS 1.2 and prior is
hard. The TLS 1.2 RFC already discusses how to do that.
Basically, if decryption fails, you need to carry on as nothing had
happened, but then cause Finished MAC check to fail. In _constant_
time. Which is not easy, and even if your code looks constant time,
compiler "optimizations" can really ruin your day.
I think there should be a draft which formally deprecates RSA,
recommends the support to be removed (at least from server side)
and updates TLS 1.2 to change the MTI ciphersuite. Of course,
certain ("visibility") folks would scream about that.
-Ilari
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
