ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] RSA-PSS and RSA-OAEP for v5

2021-03-01 04:17:00
from [Hanno Böck] [Permanent Link] 
On Sun, 28 Feb 2021 19:47:15 +0000
Stephen Farrell <stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie> wrote:


On 28/02/2021 19:26, brian m. carlson wrote:


I think it's very clear, based on a history of CVEs, that as
practically implemented, PKCS #1 padding is weak compared to PSS
and OAEP.  


FWIW, my impression is that that is not clear. Quite a few
people do have that position for sure, but equally, the views
expressed by e.g. Werner and Peter Gutmann also seem fairly
commonly held afaics.


I saw Peter Gutmann's notes on PSS a while ago [1] and was considering
writing a reply, but I didn't find the motivation and was unsure how
relevant this is given the demise of RSA.

I wrote my thesis on PSS, so I'm quite familiar with it. I think
Gutmann has some points, but these are almost entirely not really
weaknesses in PSS itself, but of an amount of excess flexibility in the
standard that could easily be fixed.

I believe there are basically 2 changes that would make PSS much less
fragile. I know OAEP less, but I think it's pretty much the same
situation:

a) There's an excess of parameter choices for PSS. It allows choosing
2 different hash functions, a mask generation function (which has only
one choice available) and a salt length. If you remove that flexibility
(by simply defining "use sha256, use the standard mgf1 as there is no
other one, use the default salt length of 20, don't support anything
else") all issues with it go away.

b) There's a lot of cornercases in the algorithm due to the fact that
the standard allows a completely flexible key size. If you'd say "only
key sizes that are a multiple of 8" (or even "only 2048/4096 bits are
allowed") the implementation gets much simpler and is pretty
straightforward.

One could easily define RSA-PSS-Simple (or RSA-OAEP-Simple) with these
two restrictions and I believe that would remove most concerns about
complexity. Though given that the world is moving away from RSA and the
big postquantum revolution is coming anyway I'm not sure it's worth
doing that.

[1]
https://www.metzdowd.com/pipermail/cryptography/2019-November/035449.html

-- 
Hanno Böck
https://hboeck.de/

Attachment: pgpT5H8t9gkcs.pgp
Description: OpenPGP digital signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] ECC point encoding and "flag byte", Werner Koch
Next by Date:  Re: [openpgp] I-D Action: draft-ietf-openpgp-crypto-refresh-02.txt (fwd), Neal H. Walfield
Previous by Thread:  Re: [openpgp] ECC point encoding and "flag byte", Werner Koch
Next by Thread:  Re: [openpgp] RSA-PSS and RSA-OAEP for v5, Werner Koch
Indexes:  [Date] [Thread] [Top] [All Lists]