RSA-PSS â Provably secure RSA Signatures and their ...

More documents

Recommendations

Info

The BLAKE hash function has two inputs: The message and an optional salt.The BLAKE paper explicitly mentions that this can be used for randomizedhashing (chapter 4.4, page 28 in [Aumasson et al., 2010]).In the proposal for the Grøstl hash function, randomized hashing is also mentioned(chapter 6.2, page 18 in [Gauravaram et al., 2011]). However, Grøstl hasno dedicated mode for randomized hashing, the authors suggest that the methodproposed by Halevi/Krawczyk and the NIST can be used without modification.The Keccak authors propose “keyed or randomized modes simply byprepending a key or salt to the input message” 11 . This is roughly the samethat is done in PSS96.The most interesting concept is in Skein. They define the possibility touse several optional inputs to the hash function (chapter 2.5, page 6 in[Schneier et al., 2010]). Like BLAKE, Skein offers the possibility to inject asalt (they call it nonce, but that is the same), making the direct use of Skeinas a randomized hashing function possible. The Skein paper proposes furtherto use a unique identifier for every protocol as an additional input to avoid interactionbetween protocols [Schneier et al., 1997]. It also suggests to use thepublic key in a cryptographic operation as an additional input. The definitionof further optional arguments is possible and recommended.5.5 SummaryWe have seen that in the standardization process of PSS, a questionable tradeoffhas been made between security and easier implementation. Through directrandomization of the input with a salt the original PSS96 proposal providesenhanced target collision resistance (eTCR).However, the idea of randomized hashing and the ongoing SHA-3 competitionprovide an opportunity to get this eTCR property back within upcomingstandards.6 Considerations for Implementations6.1 Hash AlgorithmPSS requires a hash function and a mask generation function derived from a hashfunction. While it is in theory possible to use two different hash functions forthat, it is suggested to use the same for both for simplicity. Still, a combinationof two secure hash functions (for example SHA-256 as the input hash and MGF1with SHA-512 as the mask generation function) does not cause any securityproblems.11 keccak website at http://keccak.noekeon.org/24
PKCS #1 v2.1 specifies the use of PSS with either SHA-1 or one of the SHA-2 (SHA-256, SHA-384, SHA-512) algorithms. Later standards like RFC 4055(PSS signatures for X.509) additionally allow SHA-224. The proposed defaultis SHA-1.However, it is highly suggested not to use SHA-1 anymore. We alreadydiscussed the weaknesses of still widely used hash functions MD5 and SHA-1in chapter 2.5. Up until now, the SHA-2-family (SHA-224, SHA-256, SHA-385, SHA-512) can be considered secure and is the only widely accepted hashstandard without known weaknesses.As PSS is a safety measure against unknown attacks, it barely makes anysense to use it with SHA-1, where attacks are already known. The switch fromMD5/SHA-1 to SHA-2 should have a higher priority than the implementationof PSS padding.6.2 Key SizeFor a long time, RSA key sizes between 512 and 768 bit were quite common.They should be considered completely insecure today, although they still canbe found in real-world applications. In 2010, a research team factorized a 768bit number [Kleinjung et al., 2010]. In 2009, it was possible to factorize a 512bit key used for signing the operating system of a Texas Instruments calculatorby a private person on a home computer [ticalc.org, 2009]. Those attacks havealso questioned the security of RSA with 1024 bit.In 2003, Adi Shamir (one of the original RSA authors) proposed a theoreticaldesign for a hypothetical device called TWIRL (The Weizmann Institute RelationLocator) that would be capable of factoring large numbers up to 1024 bitin less than a year with a 10 million dollar device [Shamir and Tromer, 2003].This would fully break RSA with a key size of 1024 bit or lower, meaning thatthe private key can be revealed with knowledge of the public key.Due to the high costs, nobody has publicly built a TWIRL device. However,as with the transition to new hash functions, the transition to key sizes above1024 bit should have higher priority than the transition to PSS and while intheory possible, it barely makes sense to use PSS with a RSA key size of 1024bit. RSA Inc. as well as the NIST propose not to use 1024 bit keys after 2010any more.6.3 ExponentIn its early days, RSA was done with a random, large-sized exponent. Later,it became prevalent that for better performance in the encryption / verificationprocess, very small exponents like e = 3 could be used. Textbook RSA incombination with a small exponent raises a number of issues, but all of themcan be avoided with padding and hashing.25
Page 3 and 4: 7.6 No Support yet: OpenPGP, DNSSEC
Page 5 and 6: look at requirements by law and pos
Page 7 and 8: side: Every decryption operation pr
Page 9 and 10: MMGFMGF(M)Figure 2: Full Domain Has
Page 11 and 12: key size have equal security. Howev
Page 13 and 14: MHashPadding1mHashsaltPadding2saltH
Page 15 and 16: In the PKCS standard, the old and n
Page 17 and 18: --- crypto / rsa / rsa_sign .c 26 A
Page 19 and 20: impact of fault-based attacks on ra
Page 21 and 22: This only works because the first t
Page 23: MsaltRMXRMHashPadding1mHashsaltPadd
Page 27 and 28: Default / no parametersWith paramet
Page 29 and 30: MacOS X supports only PSS signature
Page 31 and 32: DNSSEC is a security extension to t
Page 33 and 34: static SECStatusemsa_pss_verify ( c
Page 35 and 36: such a struct to pass it down throu
Page 37 and 38: 8.10 DifficultiesI found out that t
Page 39 and 40: During the implementation of RSASSA
Page 41 and 42: Certificate :Data :Version : 3 (0 x
Page 43 and 44: 11 Really provable SecurityThe conc
Page 45 and 46: PSPACE problemsNP ProblemsBQPFigure
Page 47 and 48: and physics where today very little
Page 49 and 50: are more likely to consider the use
Page 51 and 52: [Brier et al., 2006] Brier, E., Che
Page 53 and 54: [IETF Network Working Group, 2005a]
Page 55 and 56: [Technical Committee CEN/TC 224, 20
Page 57 and 58: OAEP Optimal asymmetric Encryption

RSA-PSS â Provably secure RSA Signatures and their ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?

RSA-PSS â Provably secure RSA Signatures and their ...