RSA-PSS â Provably secure RSA Signatures and their ...

More documents

Recommendations

Info

Figure 7: RSASSA-PSS certificate with Internet Explorer on Windows 7(Chrome/Chromium). There are two widely used free software implementationsof X.509 and SSL: nss (Network Security Service, used by Mozilla Firefox/Thunderbirdand Google Chrome/Chromium on Linux) and OpenSSL (used by theApache web server, the Opera browser and many others). Slighter less used isGnuTLS.I myself have contributed code for RSASSA-PSS support to the nss / Mozillaproject during the Google Summer of Code 2010 (we will cover implementationdetails later in chapter 8). It will probably be part of one of the next majorFirefox updates (5.0 or 6.0).PSS support is also present in the current CVS code of OpenSSL and willbe part of the upcoming 1.1 release. With the openssl command line tool, itcan be enabled with the parameter -sigopt rsa padding mode:pss and thesalt length can be set with -sigopt rsa pss saltlen:64. By default, opensslmakes the salt as long as possible.Microsoft Windows supports PSS signatures since Windows Vista, but failswith some uncommon parameters. It does not support SHA224 as the hashfunction (this is not limited to PSS) and it fails when the input hash functionis different from the mask generation function’s hash function.28
MacOS X supports only PSS signatures with default parameters. This limitsthe support to signatures with the weak hash function SHA1.There also exist two Java libraries which support RSASSA-PSS signatures.The free software project Bouncy Castle supports certificate signatures.The most complete RSASSA-PSS support is in a Java library by the Institutefor Applied Information Processing and Communication (IAIK) at the TechnicalUniversity of Graz. It is the only implementation I’m aware of that is able togenerate designated RSASSA-PSS certificates. A free version for educationaland research purpose can be downloaded at their website 12 .The US-based Electronic Frontier Foundation runs the SSL Observatory 13 ,a research project that collects all certificates on https connections in the fullpublic IPv4 space. The complete database contains about 12 million certificates.Out of them, only four certificates on two IPs listed that are signedwith RSASSA-PSS. They were not signed by any browser-accepted certificateauthority.7.2 Cryptographic Message Syntax (CMS) and S/MIMEThe Cryptographic Message Syntax (CMS), based on the older PKCS #7, specifiesencryption and signatures for generic messages. Its main use is withinS/MIME, a widely used standard for email encryption and signing. It is basedon X.509 certificates.RSASSA-PSS and RSA-OAEP for CMS have been specified within RFC4056 [IETF Network Working Group, 2005b]. CMS signatures are very similarto signatures within X.509.I am not aware of any implementation of RSASSA-PSS for CryptographicMessage Syntax.7.3 PKCS #11PKCS #11 is a generic abstraction API defining cryptographic operations andobjects. PKCS #11 ships header files defining constants for cryptographic objectssuch as keys, signatures and algorithms. A constant starting with CKMdescribes a “method”, basically meaning an algorithm. Since PKCS #11 version2.11, it knows the method CKM RSA PKCS PSS (chapter 12.1.9, page 201 in[RSA Inc., 2004]).PKCS #11 also has an abstraction for the PSS parameter block namedCK RSA PKCS PSS PARAMS. This defines a C struct containing all the relevantmeta information for a signature. There is a slight conceptual difference from theASN.1 structs from PKCS #1: Every combination of mask generation function12 http://jce.iaik.tugraz.at/13 https://www.eff.org/observatory29
Page 3 and 4: 7.6 No Support yet: OpenPGP, DNSSEC
Page 5 and 6: look at requirements by law and pos
Page 7 and 8: side: Every decryption operation pr
Page 9 and 10: MMGFMGF(M)Figure 2: Full Domain Has
Page 11 and 12: key size have equal security. Howev
Page 13 and 14: MHashPadding1mHashsaltPadding2saltH
Page 15 and 16: In the PKCS standard, the old and n
Page 17 and 18: --- crypto / rsa / rsa_sign .c 26 A
Page 19 and 20: impact of fault-based attacks on ra
Page 21 and 22: This only works because the first t
Page 23 and 24: MsaltRMXRMHashPadding1mHashsaltPadd
Page 25 and 26: PKCS #1 v2.1 specifies the use of P
Page 27: Default / no parametersWith paramet
Page 31 and 32: DNSSEC is a security extension to t
Page 33 and 34: static SECStatusemsa_pss_verify ( c
Page 35 and 36: such a struct to pass it down throu
Page 37 and 38: 8.10 DifficultiesI found out that t
Page 39 and 40: During the implementation of RSASSA
Page 41 and 42: Certificate :Data :Version : 3 (0 x
Page 43 and 44: 11 Really provable SecurityThe conc
Page 45 and 46: PSPACE problemsNP ProblemsBQPFigure
Page 47 and 48: and physics where today very little
Page 49 and 50: are more likely to consider the use
Page 51 and 52: [Brier et al., 2006] Brier, E., Che
Page 53 and 54: [IETF Network Working Group, 2005a]
Page 55 and 56: [Technical Committee CEN/TC 224, 20
Page 57 and 58: OAEP Optimal asymmetric Encryption

RSA-PSS â Provably secure RSA Signatures and their ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?

RSA-PSS â Provably secure RSA Signatures and their ...