RSA-PSS â Provably secure RSA Signatures and their ...

More documents

Recommendations

Info

saltMHashsalt0paddingMGFxor0HmaskedDBFigure 3: Original PSS algorithm [Bellare and Rogaway, 1996] 73 The Probabilistic Signature SchemeAfter inventing the random oracle model and proposing a scheme they latercalled Full Domain Hashing, Bellare and Rogaway continued their work byproposing two new schemes for RSA that became the basis of upcoming cryptographystandards. For encryption, they propose the Optimal AsymmetricEncryption Padding (OAEP) [Bellare and Rogaway, 1995].In a paper from 1996, Rogaway and Bellare discuss the security of the originalhash-then-sign scheme and the Full Domain Hashing scheme. They come to theconclusion that for both schemes, no tight security assertions can be made. Theyprovide another scheme, the Probabilistic Signature Scheme. They can prove inthe random oracle model that the security of the scheme can be tightly relatedto the hardness of inverting the RSA function [Bellare and Rogaway, 1996].Both PSS and OAEP have randomization, which provides protection againstcertain types of implementation attacks (see chapter 4.2). It should also be notedthat the randomization is a crucial part of the security proof and that attacksmay be possible if the source of the random numbers is weak [Brown, 2005].3.1 How PSS worksPSS takes the input message and a salt (a random number) and runs themthrough a hash function. This hash H is used as the beginning part of theoutput. Then, a mask of H is calculated, which has the length of the RSAmodulus minus the length of H. This mask is then XOR-ed with the salt(and some zero padding) and the output will be called maskedDB. Then,maskedDB is appended to H to generate the input for the RSA function (seefigure 3 for a graphical representation of the algorithm).7 The diagram in the original PSS paper looks quite differently, I created this diagram ina similar way as the one in PKCS #1 v2.1 to outline the similarities and differences betweenthe original proposal and the final standard.12
MHashPadding1mHashsaltPadding2saltHashxorMGFbcmaskedDBHbcFigure 4: RSASSA-PSS according to PKCS #1 v2.1 / RFC 3447 errata 8The variant that later became part of standards is slightly different. H andmaskedDB are switched in their order. The input message M is hashed atthe beginning and then hashed again with a salt appended (see figure 4 for agraphical representation). We will discuss the security impact of those changeslater in chapter 5.It is in theory possible to set the salt size to zero. This makes PSS a deterministicalgorithm again which has security properties similar to Full DomainHashing.3.2 Appendix and Message RecoveryPSS comes in two variants, with appendix and with message recovery. Signaturescheme with appendix (sometimes referred to as SSA) means that the signatureis an additional block of data appended to a signed message. Message recoverymeans that parts of the message are encoded within the signature. This can berelevant if the size of the transmitted data is a bottleneck and every byte matters– for example on smart cards. In the vast majority of applications, messagerecovery is not needed and signature scheme with appendix is the default andalso the only variant of PSS specified in the PKCS #1 standard by RSA Inc.and the IETF (Internet Engineering Task Force).8 The diagram in the original version of PKCS #1 v2.1 / RFC 3447 is erroneous, however,the IETF never changes finished RFCs. The correct version of the diagram is listed in theRFC Errata at http://www.rfc-editor.org/errata_search.php?rfc=344713
Page 3 and 4: 7.6 No Support yet: OpenPGP, DNSSEC
Page 5 and 6: look at requirements by law and pos
Page 7 and 8: side: Every decryption operation pr
Page 9 and 10: MMGFMGF(M)Figure 2: Full Domain Has
Page 11: key size have equal security. Howev
Page 15 and 16: In the PKCS standard, the old and n
Page 17 and 18: --- crypto / rsa / rsa_sign .c 26 A
Page 19 and 20: impact of fault-based attacks on ra
Page 21 and 22: This only works because the first t
Page 23 and 24: MsaltRMXRMHashPadding1mHashsaltPadd
Page 25 and 26: PKCS #1 v2.1 specifies the use of P
Page 27 and 28: Default / no parametersWith paramet
Page 29 and 30: MacOS X supports only PSS signature
Page 31 and 32: DNSSEC is a security extension to t
Page 33 and 34: static SECStatusemsa_pss_verify ( c
Page 35 and 36: such a struct to pass it down throu
Page 37 and 38: 8.10 DifficultiesI found out that t
Page 39 and 40: During the implementation of RSASSA
Page 41 and 42: Certificate :Data :Version : 3 (0 x
Page 43 and 44: 11 Really provable SecurityThe conc
Page 45 and 46: PSPACE problemsNP ProblemsBQPFigure
Page 47 and 48: and physics where today very little
Page 49 and 50: are more likely to consider the use
Page 51 and 52: [Brier et al., 2006] Brier, E., Che
Page 53 and 54: [IETF Network Working Group, 2005a]
Page 55 and 56: [Technical Committee CEN/TC 224, 20
Page 57 and 58: OAEP Optimal asymmetric Encryption

RSA-PSS â Provably secure RSA Signatures and their ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?

RSA-PSS â Provably secure RSA Signatures and their ...