RSA-PSS â Provably secure RSA Signatures and their ...

More documents

Recommendations

Info

Figure 9: Certificate signed with RSASSA-PSS in Firefox, old and new.[dir] must be replaced with a directory name where the certificate databasewill be generated and stored. The --pss parameter can be followed by a combinationof mask generation function, appertaining hash function and salt length.It is also possible to specify --pss default - this will select the defaults fromthe standard (MGF1 with SHA-1 and a salt length of 32 Bytes). The hash functionfor the input message is not specific to PSS and can be specified throughthe -Z parameter.8.8 FirefoxWhen the nss library is able to verify RSASSA-PSS signatures on certificates,this is also true for any application using that library. Therefore, Firefox itselfneeds no code changes to be able to verify PSS certificates. The only cosmeticchange that is necessary is to let Firefox know about the Object Identifier, sothe GUI can correctly display the used certificate algorithm (see Figure 9).8.9 Further workDuring my work on nss, I tested my code with the debugging tool Valgrind formemory leaks, which helped a lot to spot bugs in my own work. The existingcommand line tools from nss had a couple of own memory leaks I eliminatedduring that work to make the checking easier 14 .14 https://bugzilla.mozilla.org/582800 and https://bugzilla.mozilla.org/58180436
8.10 DifficultiesI found out that the most difficult part was not the implementation of the PSSpadding itself, but the handling of the parameter block. RFC 3447 specifiesa parameter block (s. 49 in [RSA Inc., 2002]) allowing to specify the hashfunction, salt length, mask generation function and the hash function used insidethe mask generation function. The parameters are decoded (cryptohi/secvfy.c)several API layers above the signature generation (softoken/rsawrapr.c) andhave to be passed through them (pk11wrap/pk11obj.c). None of the existingalgorithms within nss had a parameter block, so this required a bunch of APIchanges.8.11 Conclusions from the ImplementationThe parameter block adds a lot of complexity for no real gain. It allows forexample constructions where the hash function used directly and the hash functionfor the mask generation function differ (e.g., SHA-1 with MGF1 usingSHA-256). The variable salt length allows to choose values that violate thesecurity properties of the whole PSS construction (e.g., a zero length salt). Itwould’ve been much easier to stick to a predefined set of sane parameters andassign them their own IDs.Another point where unnecessary complexity was added was the handlingof key sizes. A number of bit-shifting operations were only necessary becauseRFC 3447 allows keys of any size. It would have made the whole implementationsignificantly simpler if the allowed key sizes were restricted to ones divisible by8 (which makes a byte-representation without padding possible). As usuallyall real-world applications use common key sizes like 1024, 2048 or 4096, thisrestriction would not have many implications on users.The fact that the only input to the whole signature generation and verificationfunctions is the hash of a message was welcome for the implementation,but it weakens the security (see chapter 5). It would’ve needed even more APIchanges to make a construction like the original PSS proposal that does notstart with Hash(M) possible. However, I would still consider randomizationof the hash a good idea, as it would vastly improve the security on real-worldattacks.8.12 SummaryI have provided working patches to support RSASSA-PSS in nss, a cryptographiclibrary widely used by popular products like the Mozilla Firefox browser.Due to the very invasive changes required, inclusion of them into the main nsscodebase will probably still require some time.Further possible tasks that could be done are support for designatedRSASSA-PSS keys/certificates and support for Cryptographic Message Syntax37
Page 3 and 4: 7.6 No Support yet: OpenPGP, DNSSEC
Page 5 and 6: look at requirements by law and pos
Page 7 and 8: side: Every decryption operation pr
Page 9 and 10: MMGFMGF(M)Figure 2: Full Domain Has
Page 11 and 12: key size have equal security. Howev
Page 13 and 14: MHashPadding1mHashsaltPadding2saltH
Page 15 and 16: In the PKCS standard, the old and n
Page 17 and 18: --- crypto / rsa / rsa_sign .c 26 A
Page 19 and 20: impact of fault-based attacks on ra
Page 21 and 22: This only works because the first t
Page 23 and 24: MsaltRMXRMHashPadding1mHashsaltPadd
Page 25 and 26: PKCS #1 v2.1 specifies the use of P
Page 27 and 28: Default / no parametersWith paramet
Page 29 and 30: MacOS X supports only PSS signature
Page 31 and 32: DNSSEC is a security extension to t
Page 33 and 34: static SECStatusemsa_pss_verify ( c
Page 35: such a struct to pass it down throu
Page 39 and 40: During the implementation of RSASSA
Page 41 and 42: Certificate :Data :Version : 3 (0 x
Page 43 and 44: 11 Really provable SecurityThe conc
Page 45 and 46: PSPACE problemsNP ProblemsBQPFigure
Page 47 and 48: and physics where today very little
Page 49 and 50: are more likely to consider the use
Page 51 and 52: [Brier et al., 2006] Brier, E., Che
Page 53 and 54: [IETF Network Working Group, 2005a]
Page 55 and 56: [Technical Committee CEN/TC 224, 20
Page 57 and 58: OAEP Optimal asymmetric Encryption

RSA-PSS â Provably secure RSA Signatures and their ...

Create successful ePaper yourself

Delete template?

Save as template?

RSA-PSS â Provably secure RSA Signatures and their ...