[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RSA Signature Padding

To: "Simon Josefsson" <simon@xxxxxxxxxxxxx>
Subject: RE: RSA Signature Padding
From: "Santosh Chokhani" <SChokhani@xxxxxxxxxxxx>
Date: Mon, 8 Jun 2009 09:21:58 -0400
Cc: "Tom Gindin" <tgindin@xxxxxxxxxx>, "IETF-pkix" <ietf-pkix@xxxxxxx>
In-reply-to: <87k53nnews.fsf@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <FAD1CF17F2A45B43ADE04E140BA83D48B90CAA@xxxxxxxxxxxxxxxxxxxxxx><OF9F237E03.17A34118-ON852575CA.006D22BE-852575CF.0004FDAB@xxxxxxxxxx><FAD1CF17F2A45B43ADE04E140BA83D48B90E0A@xxxxxxxxxxxxxxxxxxxxxx> <87k53nnews.fsf@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcnoLDQJKvMLt1XNR8GL1Dklc0U5swAD0avw
Thread-topic: RSA Signature Padding

The thesis of the paper is that ad hoc encodings should be replaced with
Provably secure encodings, albeit the attack it describes may not apply
to PKCS 1 1.5.

One would think that we would want to use provable secure padding
specially as we use new OID.

> -----Original Message-----
> From: Simon Josefsson [mailto:simon@xxxxxxxxxxxxx] 
> Sent: Monday, June 08, 2009 7:28 AM
> To: Santosh Chokhani
> Cc: Tom Gindin; IETF-pkix
> Subject: Re: RSA Signature Padding
> 
> "Santosh Chokhani" <SChokhani@xxxxxxxxxxxx> writes:
> 
> > Tom,
> >
> > I am asking because of the paper in the link below.
> >
> > http://eprint.iacr.org/2009/203
> 
> Interesting.  What does that mean for PKCS#1 v1.5?
> 
> /Simon
> 
> >> -----Original Message-----
> >> From: Tom Gindin [mailto:tgindin@xxxxxxxxxx]
> >> Sent: Sunday, June 07, 2009 8:54 PM
> >> To: Santosh Chokhani
> >> Cc: IETF-pkix
> >> Subject: Re: RSA Signature Padding
> >> 
> >>         Is "we" the right term?  The latest TLS (RFC 5246 section 
> >> 4.7) specifies RSA signatures but does not seem to permit 
> PSS ones.  
> >> PKIX at least has PSS in RFC 4055.  We could encourage vendors by 
> >> producing a consolidated "algorithms" RFC which deprecates 
> the use of 
> >> MD2 and MD5 for new certificates, while suggesting that 
> any RP vendor 
> >> supporting sha1WithRSAEncryption as a signatureAlgorithm 
> SHOULD also 
> >> support id-RSASSA-PSS.  Are you suggesting that we should 
> also tell 
> >> people not to use sha256WithRSAEncryption, 
> sha384WithRSAEncryption, 
> >> or sha512WithRSAEncryption as signatureAlgorithm values but to use 
> >> those hash algorithms as PSS parameters instead?
> >>         Should such an RFC be targeted for New Year's 2011?
> >> 
> >>                 Tom Gindin
> >> 
> >> 
> >> 
> >> 
> >> "Santosh Chokhani" <SChokhani@xxxxxxxxxxxx> Sent by: 
> >> owner-ietf-pkix@xxxxxxxxxxxx
> >> 06/03/2009 12:58 PM
> >> 
> >> To
> >> "IETF-pkix" <ietf-pkix@xxxxxxx>
> >> cc
> >> 
> >> Subject
> >> RSA Signature Padding
> >> 
> >> 
> >> 
> >> 
> >> 
> >> 
> >> 
> >> I do not know if this is the right forum.
> >> 
> >> Should we encourage vendors to use RSA PSS as we transition to 
> >> SHA-256 given the weakness in PKCS 1.5 padding?
> >> 
> >> Santosh Chokhani
> >> CygnaCom Solutions
> >> 
> >> "Questioning conventional wisdom is key to innovation"
> >> 
> >> 
> >> 
> >> 
>

References:
- RSA Signature Padding
  - From: Santosh Chokhani
- Re: RSA Signature Padding
  - From: Tom Gindin
- RE: RSA Signature Padding
  - From: Santosh Chokhani
- Re: RSA Signature Padding
  - From: Simon Josefsson

Prev by Date: Re: RSA Signature Padding
Previous by thread: Re: RSA Signature Padding
Next by thread: Fwd: Last Call: draft-solinas-suiteb-cert-profile (Suite B Certificate and Certificate Revocation List (CRL) Profile) to Informational RFC
Index(es):
- Date
- Thread