RSA-PSS â Provably secure RSA Signatures and their ...

More documents

Recommendations

Info

and hash algorithm gets its own constant, e.g., CKG MGF1 SHA256, while in PKCS#1 there is an additional parameter to the mask generation function for the hashfunction.PKCS #11, however, does not have a way to define designated PSS keys.PKCS #11 2.20 only has one key type for RSA – CKK RSA – it does not differentiatethe use of the RSA key.7.4 IPsecIPsec is a protocol to add a cryptographic layer on the IP protocol. IPsec iscomposed by a large number of sub-protocols. In the IETF-standard RFC 4359[IETF Network Working Group, 2006], the use of RSASSA-PSS in the EncapsulatingSecurity Payload (ESP) and Authentication Header (AH) protocolspart of the IPsec protocol is specified. However, it is not possible to use anyother hash function than SHA-1 (see chapter 6.1).7.5 XMLDSig, XMLencFor XML documents, the W3C has two cryptographic specifications, XMLencfor encryption [W3C, 2002] and XMLDSig for signatures [W3C, 2008]. WhileXMLenc supports OAEP encryption, PSS support in XMLDSig is lacking. Aproposal from 2007 [Lanz et al., 2007] exists but has not been adopted in thelatest revision of the standard in 2008. Due to the known weaknesses of SHA-1,this proposal uses SHA-256 as the default hash function.Unlike X.509, XMLDSig does not use Object Identifiers for algorithms, insteadit uses an URL-based scheme. The URL directly refers to the algorithmspecification on the W3C web page.The proposal of Lanz defines these identifiers:http://www.example.org/xmldsig-pss/#rsa-psshttp://www.example.org/xmldsig-pss/#mgf1Once standardized, http://www.example.org/ will be replaced by somethinglike http://www.w3.org/2011/09/xmldsig-pss.7.6 No Support yet: OpenPGP, DNSSEC, TLSThe software Pretty Good Privacy (PGP) by Phil Zimmerman made emailencryption popular in 1991. Today, PGP and other implementations likethe free software GPG are based on the OpenPGP standard RFC 4880[IETF Network Working Group, 2007]. Although PKCS #1 v2.1 had alreadybeen released when the standard was written, it exclusively uses EMSA-PKCS1-v1 5 and there are no plans to change that yet. RFC 4880 also lists a couple ofreserved algorithm IDs, e.g., for elliptic curve cryptography, but none are listedfor OAEP/PSS.30
DNSSEC is a security extension to the domain name system. It was developedback in 1999, but saw no widespread use for quite a long time. In 2008,security researcher Dan Kaminsky presented a real-world attack on the cachingof DNS [US-CERT, 2008]. Through mitigation measures, it was possible tomake such attacks much harder, still DNSSEC is considered the only long-termsolution for a reliable DNS. All domain name authorities are working on implementingDNSSEC and the root zone has been signed in 2010. The latestsignature algorithms based on RSA and SHA-2 are specified in RFC 5702 anduse EMSA-PKCS1-v1 5 (section 3 in [IETF Network Working Group, 2009]).Section 8.1 contains a note that this has been decided to make the transitionfrom the SHA-1 algorithms easier. It is unlikely that this will change, as thecurrent plans of the DNS working group at the IETF are to switch to ellipticcurve algorithms in the future.DKIM (DomainKeys Identified Mail) is a signature system for outgoingemails to prevent spam. Similar to DNSSEC, it was developed long after thestandardization of PSS, but supports exclusively RSA-PKCS1-v1 5, because itsauthors feared it would make implementation too difficult if they required ascheme not widely supported.The Transport Layer Security protocol (formerly SSL) is widely used tosecure existing protocols, like https, pop3s, smtps etc. The latest version doesnot support any padding beside RSASSA-PKCS1-v1 5.As shown in this chapter, a couple of the most significant cryptographicprotocols don’t support RSASSA-PSS at all and there are no transition plans.7.7 Other Protocols using PSSA small number of less widely used protocols implement PSS.Microsoft’s digital rights management system COPP is using RSASSA-PSSsignatures to verify signatures on graphics drivers. However, it uses SHA-1 asa hash algorithm and sets the salt length to zero [Microsoft, 2010].The European standard for smart cards prEN 14890-1:2008 defines an interfacefor RSASSA-PSS based signatures (part 2, page 14, chapter 6.3.2 in[Technical Committee CEN/TC 224, 2008]). It states that the hash for themask generation function and the input have to be the same.7.8 SummaryWe have seen that the support for PSS within cryptographic protocols is verylimited. Many important protocol standards don’t support it at all and fromthe ones that do, implementations are rare.31
Page 3 and 4: 7.6 No Support yet: OpenPGP, DNSSEC
Page 5 and 6: look at requirements by law and pos
Page 7 and 8: side: Every decryption operation pr
Page 9 and 10: MMGFMGF(M)Figure 2: Full Domain Has
Page 11 and 12: key size have equal security. Howev
Page 13 and 14: MHashPadding1mHashsaltPadding2saltH
Page 15 and 16: In the PKCS standard, the old and n
Page 17 and 18: --- crypto / rsa / rsa_sign .c 26 A
Page 19 and 20: impact of fault-based attacks on ra
Page 21 and 22: This only works because the first t
Page 23 and 24: MsaltRMXRMHashPadding1mHashsaltPadd
Page 25 and 26: PKCS #1 v2.1 specifies the use of P
Page 27 and 28: Default / no parametersWith paramet
Page 29: MacOS X supports only PSS signature
Page 33 and 34: static SECStatusemsa_pss_verify ( c
Page 35 and 36: such a struct to pass it down throu
Page 37 and 38: 8.10 DifficultiesI found out that t
Page 39 and 40: During the implementation of RSASSA
Page 41 and 42: Certificate :Data :Version : 3 (0 x
Page 43 and 44: 11 Really provable SecurityThe conc
Page 45 and 46: PSPACE problemsNP ProblemsBQPFigure
Page 47 and 48: and physics where today very little
Page 49 and 50: are more likely to consider the use
Page 51 and 52: [Brier et al., 2006] Brier, E., Che
Page 53 and 54: [IETF Network Working Group, 2005a]
Page 55 and 56: [Technical Committee CEN/TC 224, 20
Page 57 and 58: OAEP Optimal asymmetric Encryption

RSA-PSS â Provably secure RSA Signatures and their ...

Create successful ePaper yourself

Delete template?

Save as template?

RSA-PSS â Provably secure RSA Signatures and their ...