RSA-PSS â Provably secure RSA Signatures and their ...

More documents

Recommendations

Info

10.4 NESSIE and ECRYPTThe European Union research project NESSIE (New European Schemes forSignatures, Integrity and Encryption) compiled a list of recommended cryptographicalgorithms in 2004 [NESSIE, 2004]. It lists RSA-PSS exclusively andno variant with old padding. It should be noted however that the NESSIErecommendations are outdated and also contain at least one broken algorithm(SFLASH).There is a follow-up research project to NESSIE called ECRYPT, whichreleases a “Yearly Report on Algorithms and Key Lengths”. In the latest report,they list both RSA-PSS and RSA PKCS #1 v1.5, but write: “However, dueto the lack of security proof, we recommend whenever possible to use RSAPSS instead, there is no advantage in using v1.5.” (chapter 14.2.1, page 72in [ECRYPT, 2010]). They recommend not to use the same key for PSS andPKCS #1 v1.5.10.5 CA/Browser ForumWeb browsers ship a list of root certificates from certificate authorities to validatethe X.509 certificates from https connections. In 2007, the CA/BrowserForum defined guidelines for so-called Extended Validation (EV) certificates.These are certificates which have to comply with stricter security rules (it shouldbe noted, however, that the EFF SSL Observatory found many EV certificatesnot compliant with their own rules).The latest guidelines from the CA/Browser Forum contain no informationabout RSA padding rules [CA/Browser Forum, 2010]. They also claim that dueto the lack of RSASSA-PSS implementations in browsers they have no plans torequire PSS padding in the foreseeable future.10.6 SummaryIn many official state documents, at least a long term transition to PSS basedRSA padding is scheduled. Internet certificate authorities don’t seem to beupon the ones pushing for better cryptography.The most ambitious plan comes from the German “Bundesnetzagentur”,which require a full transition from hash-then-sign schemes to PSS until 2015for messages and 2017 for certificates. However, it seems that there is no effortunderway to accompany this time plan with a push for the required standardsand implementations and there is a serious risk that if this doesn’t happen verysoon, it may be impossible to follow those requirements in practice.42
11 Really provable SecurityThe concept of provable security we investigated with PSS and OAEP is a verylimited one. It is only possible to provide “provable” security under certainassumptions. It relies on three assumptions: That factoring is a hard problem,that RSA is really as hard as factoring and that well-designed hash functionsbehave like random oracles. One could ask if it is at least theoretically possibleto create provably secure public key cryptography only under provableassumptions.What would that mean? We could define a “provably secure” public keyfunction as one that can only be broken by an attacker that is able to do acertain number of calculations dependent on the key size. Now we can choosea key size high enough to make it implausible that any attacker with humantechnology may be able to break that it within, say, the lifetime of a humanbeing.What we would require is a proof that for any attacker skilled with the bestpossible algorithms, it requires a minimum amount of calculations to forge asignature for a given message and a public key or to get the decrypted messagegiven an encrypted one and a public key. We will need some basic complexitytheory before we can answer such questions.11.1 Complexity Theory, P/NP and FP/FNPComplexity theory defines so-called complexity-classes as sets of problems withcertain properties.The first complexity class we will investigate is P. A problem X is in P ifit is a decision problem (the solution is just “yes” or “no”) and an algorithmexists that solves X for any input with length n with a running time that canbe expressed as a polynomial of n. Such algorithms are usually considered tobe “fast”. An example for a P problem are primality tests: “Given a numberwith n digits, can you decide if it is a prime?” For a long time, it was unknownif a polynomial primality test exists. In 2002, a polynomial primality algorithm– the AKS algorithm – was presented and thus showed that primality tests arein P.The second important complexity class is NP. NP stands for “NondeterministicPolynomial time”, but we will use an easier notion here: NP problemsare all decision problems where a polynomial algorithm exists to verify a resultgiven some extra information.The problems interesting for public key cryptography – like factoring – areusually not decision problems. But it is easily possible to transfer them intodecision problems. A decision problem for factoring could be like this: “Givena large number N and a number X with X < N, is there a factor of N smallerthan X?” A fast algorithm that is able to solve this decision problem can beused with a binary search (which itself is polynomial) to factor large numbers.43
Page 3 and 4: 7.6 No Support yet: OpenPGP, DNSSEC
Page 5 and 6: look at requirements by law and pos
Page 7 and 8: side: Every decryption operation pr
Page 9 and 10: MMGFMGF(M)Figure 2: Full Domain Has
Page 11 and 12: key size have equal security. Howev
Page 13 and 14: MHashPadding1mHashsaltPadding2saltH
Page 15 and 16: In the PKCS standard, the old and n
Page 17 and 18: --- crypto / rsa / rsa_sign .c 26 A
Page 19 and 20: impact of fault-based attacks on ra
Page 21 and 22: This only works because the first t
Page 23 and 24: MsaltRMXRMHashPadding1mHashsaltPadd
Page 25 and 26: PKCS #1 v2.1 specifies the use of P
Page 27 and 28: Default / no parametersWith paramet
Page 29 and 30: MacOS X supports only PSS signature
Page 31 and 32: DNSSEC is a security extension to t
Page 33 and 34: static SECStatusemsa_pss_verify ( c
Page 35 and 36: such a struct to pass it down throu
Page 37 and 38: 8.10 DifficultiesI found out that t
Page 39 and 40: During the implementation of RSASSA
Page 41: Certificate :Data :Version : 3 (0 x
Page 45 and 46: PSPACE problemsNP ProblemsBQPFigure
Page 47 and 48: and physics where today very little
Page 49 and 50: are more likely to consider the use
Page 51 and 52: [Brier et al., 2006] Brier, E., Che
Page 53 and 54: [IETF Network Working Group, 2005a]
Page 55 and 56: [Technical Committee CEN/TC 224, 20
Page 57 and 58: OAEP Optimal asymmetric Encryption

RSA-PSS â Provably secure RSA Signatures and their ...

Create successful ePaper yourself

Delete template?

Save as template?

RSA-PSS â Provably secure RSA Signatures and their ...