rsa-sha2-256: Need YOUR opinion on PSS vs PKCS#1 v1.5

To: ietf-ssh%netbsd.org@localhost
Subject: rsa-sha2-256: Need YOUR opinion on PSS vs PKCS#1 v1.5
From: denis bider <ietf-ssh3%denisbider.com@localhost>
Date: Tue, 10 Nov 2015 13:25:19 +0000

I extend thanks to Peter Gutmann for attempting to implement rsa-sha2-256.

In a recent version of the draft, I changed the padding to PSS (from PKCS#1 v1.5) for the following reasons:

(1) RFC 3447, where both formats are defined, recommends PSS:

https://tools.ietf.org/html/rfc3447#section-8

   Although no attacks are known
   against RSASSA-PKCS1-v1_5, in the interest of increased robustness,
   RSASSA-PSS is recommended for eventual adoption in new applications.
   RSASSA-PKCS1-v1_5 is included for compatibility with existing
   applications, and while still appropriate for new applications, a
   gradual transition to RSASSA-PSS is encouraged.

Note that this was published in 2003. Twelve years later, it might be time to start making this transition.

(2) Hanno Boeck has argued persuasively in favor of PSS:

https://rsapss.hboeck.de/rsapss-1.0.3.pdf

He makes the following points:

- PSS has provable security in the random oracle model; PKCS#1 v1.5 does not.
- There have been successful attacks on PKCS#1 v1.5 implementations. These do not work against correct (non-parser-like) verifier implementations. However, due to its structure, PKCS#1 v1.5 is appealing to implement incorrectly.
- Fault-based attacks take more care to defend against using PKCS#1 v1.5 than using PSS.

(3) Availability of PSS is now much better than it used to be. In my case, I work with Crypto++ and Windows CNG, which both support it. Free software tends to use OpenSSL, which has also supported PSS since version 1.0.1. This has been available since 2012.

These are the arguments in favor of PSS.

The main argument against is as pointed out by Peter Gutmann. Although a number of major crypto implementations have it, there are still implementations out there that do not.

What's everyone's opinion on this?

In my opinion, we ought to migrate toward an apparent improvement, and now is the opportunity to do so.

If we specify PKCS#1 v1.5 today, we'll be stuck with it for 15 years.

We may have to define another signature algorithm that uses PSS in the future, if standards bodies start to demand PSS.

The main argument in favor of PKCS#1 v1.5 appears to be laziness. No?

Follow-Ups:
- RE: rsa-sha2-256: Need YOUR opinion on PSS vs PKCS#1 v1.5
  - From: Peter Gutmann

Prev by Date: Re: Curve25519/448 key agreement for SSH
Next by Date: Re: Updated RSA SHA-2 draft / New draft: SSH Extension Negotiation
Previous by Thread: Curve25519/448 key agreement for SSH
Next by Thread: RE: rsa-sha2-256: Need YOUR opinion on PSS vs PKCS#1 v1.5
Indexes:

Home | Main Index | Thread Index | Old Index