RSA-PSS â Provably secure RSA Signatures and their ...

More documents

Recommendations

Info

Signature Algorithm : rsassaPssHash Algorithm : sha512Mask Algorithm : mgf1 with sha512Salt Length : 01 BETrailer Field : 0 xbc ( default )Listing 1: ”PSS parameter block in OpenSSL”3.3 Standardization of Algorithm PrimitivesIn 1998, Bellare and Rogaway submitted the PSS algorithm to the IEEE (Instituteof Electrical and Electronics Engineers) P1363 working group for publickey cryptography. In 2000, the IEEE released P1363a [IEEE, 2004], whichcontains a PSS based (but significantly modified, see chapter 5) RSA signaturealgorithm padding called EMSA4 and also OAEP based RSA encryption.The PKCS standards are provided by RSA Inc., the company of RSA founderRon Rivest. PKCS #1 contains primitives for public key operations. In 2002,RSA laboratories published PKCS #1 v2.1 [RSA Inc., 2002], which providescryptographic primitives for RSA-PSS and RSA-OAEP. The function EMSA-PSS in PKCS #1 v2.1 is compatible with EMSA4 in IEEE 1363A. The PKCSstandards are widely used within the development of cryptographic solutions andstandards. In 2003, the IETF republished PKCS #1 v2.1 as RFC 3447. RFCstands for “Request for Comment”, all standards by the Internet EngineeringTask Force (IETF) that build the basis of the Internet are called RFCs.The PKCS #1 v2.1 standard also specifies so-called Object Identifiers (OIDs)for PSS and OAEP. Object Identifiers are part of the ASN.1 encoding standardand provide a hierarchical standard for unique identifiers for objects. All ASN.1-based cryptographic standards contain unique algorithm identifiers as OIDs.id-RSAES-OAEP 1.2.840.113549.1.1.7id-mgf1 1.2.840.113549.1.1.8id-pSpecified 1.2.840.113549.1.1.9id-RSASSA-PSS 1.2.840.113549.1.1.10id-mgf1 is for the mask generation function MGF1. pSpecified is only usedby OAEP, we will not cover the details here.With old PKCS #1 v1.5 paddings, there was usually an OID for every combinationof algorithm and hash function, so for example 1.2.840.113549.1.1.11is the OID for sha256WithRSAEncryption. This is different with PSS/OAEP.Instead, we have a parameter block after the algorithm identifier containing thehash function, the mask generation function, the hash function used to generatethe mask generation function, the salt length and a trailing field (the trailingfield has no real purpose, as it has a fixed value, it is only there for compatibilityreasons with IEEE P1363a). Listing 1 shows an example of the parameter blockin OpenSSL.14
In the PKCS standard, the old and new signature schemes are calledRSASSA-PSS and RSASSA-PKCS1-v1 5, the underlying encoding operationsEMSA-PSS and EMSA-PKCS1-v1 5. These naming conventions will be usedwithin this document. If we refer specifically to the original PSS version, wewill call it PSS96.3.4 Mask Generation FunctionPSS requires a so-called mask generation function. This is basically like a hashfunction, but with a variable output size. In other contexts, similar functionsare also called key derivation functions. The PKCS #1 v2.1 standard lists onlyone possible function, MGF1. It is based on an existing hash algorithm andjust works by using the input plus a four byte counter starting with zero as aninput for the hash function and increment the counter to get enough output bitsfrom the hash function. The last output is cut to get the required size. MGF1is mostly equivalent to the key derivation function KDF2, as specified in ISO18033-2 [ISO, 2006].MGF1 has the property that two calls to MGF1 with the same hash functionand the same input with a different output size would lead to an output identicalat the beginning. For example, if we calculate both MGF1(SHA-256, "hello",10) and MGF1(SHA-256, "hello", 20), we get:MGF1(SHA-256, "hello", 10) = da75447e22f9f99e1be0MGF1(SHA-256, "hello", 15) = da75447e22f9f99e1be09a00cf1a07As we see, the first 10 bytes of the second MGF1 output are identical to thefirst MGF1 output.This looks like an unideal cryptographic property of a mask generation function.This has no impact on PSS – the only possible scenario where one wouldhave the same input to MGF1 and a different output length would be if one usedthe same salt and message with a different key size (compare figure 4). So withina proper implementation of RSASSA-PSS, the use of MGF1 is just fine. However,if MGF1 is used within other cryptographic constructions, this propertyshould be consider and it should be investigated if it causes any problems.3.5 Patents on PSSThe University of California has filed two patents on PSS[Bellare and Rogaway, 2001] [Bellare and Rogaway, 2006]. During thestandardization process for IEEE P1363a, they claimed that if PSS withappendix gets standardized, they will freely license the patent to anyone doingimplementations of the standard [Grell and University of California, 1999].They would however charge fees for PSS with message recovery.Both patents have not been renewed and thus #6,266,771 expired on July24, 2009 and #7,036,014 expired on April 25, 2010. So currently, PSS in any15
Page 3 and 4: 7.6 No Support yet: OpenPGP, DNSSEC
Page 5 and 6: look at requirements by law and pos
Page 7 and 8: side: Every decryption operation pr
Page 9 and 10: MMGFMGF(M)Figure 2: Full Domain Has
Page 11 and 12: key size have equal security. Howev
Page 13: MHashPadding1mHashsaltPadding2saltH
Page 17 and 18: --- crypto / rsa / rsa_sign .c 26 A
Page 19 and 20: impact of fault-based attacks on ra
Page 21 and 22: This only works because the first t
Page 23 and 24: MsaltRMXRMHashPadding1mHashsaltPadd
Page 25 and 26: PKCS #1 v2.1 specifies the use of P
Page 27 and 28: Default / no parametersWith paramet
Page 29 and 30: MacOS X supports only PSS signature
Page 31 and 32: DNSSEC is a security extension to t
Page 33 and 34: static SECStatusemsa_pss_verify ( c
Page 35 and 36: such a struct to pass it down throu
Page 37 and 38: 8.10 DifficultiesI found out that t
Page 39 and 40: During the implementation of RSASSA
Page 41 and 42: Certificate :Data :Version : 3 (0 x
Page 43 and 44: 11 Really provable SecurityThe conc
Page 45 and 46: PSPACE problemsNP ProblemsBQPFigure
Page 47 and 48: and physics where today very little
Page 49 and 50: are more likely to consider the use
Page 51 and 52: [Brier et al., 2006] Brier, E., Che
Page 53 and 54: [IETF Network Working Group, 2005a]
Page 55 and 56: [Technical Committee CEN/TC 224, 20
Page 57 and 58: OAEP Optimal asymmetric Encryption

RSA-PSS â Provably secure RSA Signatures and their ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?

RSA-PSS â Provably secure RSA Signatures and their ...