On Fri, Jun 15, 2018 at 10:56:48AM -0400, David Benjamin wrote: > On Fri, Jun 15, 2018 at 7:37 AM Nikos Mavrogiannopoulos <n...@redhat.com> > wrote: > > I think it's a little more complex than that. Keys used in multiple ways > are affected by interactions between those uses, so formal analysis tends > to want to exclude these cases. So, yes, ideally we would separate every > key everywhere. But, as Hubert notes elsewhere in the thread, we wish for > the TLS 1.3 upgrade to be as smooth as possible, which includes being able > to reuse any externally-provisioned keys (RSA, symmetric, or whatever). > These two desires are in tension. > > For stuff like RSA, we don't have easy ways around this. If you have an > id-rsaEncryption key---which is common---that's what you've got. So the RFC > 4055 and TLS 1.3, for practicality's sake, allow this.
I once calculated that it is extremely unlikely that there exists _any_ RSA plaintext that is valid signature (for possibly different messages) as both RSA PKCS#1 v1.5 and RSA-PSS. This is regardless of if such plaintext would be feasible to find or if it was feasible to find one or both of the messages it signs. However, straight out collision might not be realistic model of this. But on the other hand, with hashes collision resistance of both hashes does not imply one can not feasbily find cross-collisions or even cross-second- preimages. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
