SHA256: also recommended for RSASSA-PSS (RFC 3447) ?

Hi all,

please bear with me if this is not the "right" list to discuss this 
topic....

My question arises from the fact that certain documents (e.g. 
regulations, papers, etc) recommends a switch from SHA1 to SHA256, quite 
soon, because SHA1 has started showing some weaknesses.

I am asking myself, and would appreciate some comments and insight from 
the PKIX community, if a transition to SHA256 as the hashing function 
for computing the message-digest signed attribute within a SignerInfo 
structure (part of a CMS or CADES message) should imply the adoption of 
the same hashing function also for "scrambling" the message digest into 
the encryption buffer according to RFC 3447 (section 8.1: RSASSA-PSS).

Would using SHA256 in the RSASSA-PSS scheme be significantly more secure 
than using SHA1 ?

TIA to all commenters.

Adriano

_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix

Re: SHA256: also recommended for RSASSA-PSS (RFC 3447) ?

On 1/7/10 4:31 AM, Adriano Santoni wrote:

> Would using SHA256 in the RSASSA-PSS scheme be significantly more secure
> than using SHA1 ?

And: which code libraries support the RSA 2.1 algorithms?

_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix

Re: SHA256: also recommended for RSASSA-PSS (RFC 3447) ?

On Thu, Jan 07, 2010 at 12:31:40PM +0100, Adriano Santoni wrote:
> I am asking myself, and would appreciate some comments and insight
> from the PKIX community, if a transition to SHA256 as the hashing
> function for computing the message-digest signed attribute within a
> SignerInfo structure (part of a CMS or CADES message) should imply
> the adoption of the same hashing function also for "scrambling" the
> message digest into the encryption buffer according to RFC 3447
> (section 8.1: RSASSA-PSS).

Just to be precise, we have three hash functions here:

-- the hash function which is used to compute the contents of a
message-digest signed attribute (let's call it h1);
-- the hash function used to process the message which is to be signed,
as the first step of signature generation per PKCS#1 (the input to
that function is the encoding of the signed attributes) (call it h2);
-- the hash function used internally to PSS as part of the "mask
generation function" (MGF) (let's call it h3).

A MGF is not necessarily based on a hash function, but only one MGF is
defined, called MGF1, and that one uses a hash function (which I call
here h3). PKCS#1 recommends, in that situation, that h2 = h3. This is
not mandatory, but recommended nonetheless, so let's assume that this is
ture.

The reasons which would make you prefer SHA-256 over SHA-1 for h1 mostly
apply to the choice of h2 too. Right now, known weaknesses in SHA-1 point
to the possibility of creating a collision; such weaknesses are most
likely to apply in a practical situation when the "bad guy" can control
substantial parts of the input to the hash function. In the case of h2,

NSA Suite B CMC Profile

We have recently submitted the National Security Agency's Suite B 
Certificate Management over CMS Profile to the IETF as an Internet-Draft.

Even though this is an individual submission, we believe that some on 
this list may be interested in it.  We encourage you to review the 
document. Please send your comments to turners <at> ieca.com or 
mpeck <at> restarea.ncsc.mil.

You may reach the document at:

http://tools.ietf.org/html/draft-turner-suiteb-cmc

Cheers,

spt
_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix

Last Call: draft-ietf-pkix-tamp (Trust Anchor Management Protocol (TAMP)) to Proposed Standard

The IESG has received a request from the Public-Key Infrastructure 
(X.509) WG (pkix) to consider the following document:

- 'Trust Anchor Management Protocol (TAMP) '
   <draft-ietf-pkix-tamp-05.txt> as a Proposed Standard

This document includes a downref to draft-ietf-pkix-new-asn1, which
is under consideration by the IESG for publication as an Informational RFC.
This document updates ASN.1 modules for PKIX specifications to conform to
the 2002 version of ASN.1, but makes no changes to the bits on the wire.
The community is specifically requested to consider whether down refs
to draft-ietf-pkix-new-asn1 are appropriate in the general case, 
in addition to the specific case of draft-ietf-pkix-tamp.

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action.  Please send substantive comments to the
ietf <at> ietf.org mailing lists by 2010-01-28. Exceptionally, 
comments may be sent to iesg <at> ietf.org instead. In either case, please 
retain the beginning of the Subject line to allow automated sorting.

The file can be obtained via
http://www.ietf.org/internet-drafts/draft-ietf-pkix-tamp-05.txt

IESG discussion can be tracked via
https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=17760&rfc_flag=0

_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix

RFC 5758 on Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA

A new Request for Comments is now available in online RFC libraries.

        
        RFC 5758

        Title:      Internet X.509 Public Key Infrastructure: 
                    Additional Algorithms and Identifiers for DSA 
                    and ECDSA 
        Author:     Q. Dang, S. Santesson,
                    K. Moriarty, D. Brown,
                    T. Polk
        Status:     Standards Track
        Date:       January 2010
        Mailbox:    quynh.dang <at> nist.gov, 
                    sts <at> aaa-sec.com, 
                    Moriarty_Kathleen <at> emc.com,  dbrown <at> certicom.com, 
                    tim.polk <at> nist.gov
        Pages:      8
        Characters: 15834
        Updates:    RFC3279

        I-D Tag:    draft-ietf-pkix-sha2-dsa-ecdsa-10.txt

        URL:        http://www.rfc-editor.org/rfc/rfc5758.txt

This document updates RFC 3279 to specify algorithm
identifiers and ASN.1 encoding rules for the Digital Signature
Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm
(ECDSA) digital signatures when using SHA-224, SHA-256, SHA-384,

Re: Last Call: draft-ietf-pkix-tamp (Trust Anchor ManagementProtocol (TAMP)) to Proposed Standard

_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix

[Editorial Errata Reported] RFC5758 (2013)

The following errata report has been submitted for RFC5758,
"Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=5758&eid=2013

--------------------------------------
Type: Editorial
Reported by: Alfred Hoenes <ah <at> TR-Sys.de>

Section: 3, last para

Original Text
-------------
|  Conforming CA implementations that ECDSA signatures in certificates
   or CRLs MAY generate such ECDSA signatures in accordance with all the
   requirements and recommendations in [X9.62] or [SEC1] if they have a
   stated policy that requires conformance to [X9.62] or [SEC1].

Corrected Text
--------------
|  Conforming CA implementations that generate ECDSA signatures in
   certificates or CRLs MAY generate such ECDSA signatures in accordance
   with all the requirements and recommendations in [X9.62] or [SEC1] if
   they have a stated policy that requires conformance to [X9.62] or
   [SEC1].

Notes
-----
Rationale: missing verb, "generate";
  cf. similar text immediately above in the same Section
  and the last two paragraphs of Section 2.

Instructions:
-------------
This errata is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC5758 (draft-ietf-pkix-sha2-dsa-ecdsa-10)
--------------------------------------
Title               : Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA
Publication Date    : January 2010
Author(s)           : Q. Dang, S. Santesson, K. Moriarty, D. Brown, T. Polk
Category            : PROPOSED STANDARD
Source              : Public-Key Infrastructure (X.509)
Area                : Security
Stream              : IETF
Verifying Party     : IESG
_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix

[Editorial Errata Reported] RFC5756 (2021)

The following errata report has been submitted for RFC5756,
"Updates for RSAES-OAEP and RSASSA-PSS Algorithm Parameters".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=5756&eid=2021

--------------------------------------
Type: Editorial
Reported by: Alfred Hoenes <ah <at> TR-Sys.de>

Section: 1, last para

Original Text
-------------
   This document also replaces incorrect references to the
   publicKeyAlgorithms field in Section 3 with references to the
   parameters field in the subjectPublicKeyInfo algorithm field.
|  Section 3 also rewords the second and third paragraphs for clarity.
          ^^^

Corrected Text
--------------
   This document also replaces incorrect references to the
|  publicKeyAlgorithms field in Section 3 of [RFC4055] with references
   to the parameters field in the subjectPublicKeyInfo algorithm field.
|  Section 2 also rewords the second and third paragraph in Section 3
|  of [RFC4055] for clarity.

Notes
-----
Rationale: Clarification
  Confusion between section numbers in 2 different documents
  (per late text change).
Resolution:
  More details added for clarification, wrong section number corrected.

Instructions:
-------------
This errata is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC5756 (draft-ietf-pkix-rfc4055-update-02)
--------------------------------------
Title               : Updates for RSAES-OAEP and RSASSA-PSS Algorithm Parameters
Publication Date    : January 2010
Author(s)           : S. Turner, D. Brown, K. Yiu, R. Housley, T. Polk
Category            : PROPOSED STANDARD
Source              : Public-Key Infrastructure (X.509)
Area                : Security
Stream              : IETF
Verifying Party     : IESG
_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix

Re: RFC 3279's section 2.3.5 at odds with section 3 (errata 1909)

Since Tim and Russ are co-authors of RFC 3279, I probably 
need to handle this errata...

It appears that the incorrect OID for id-characteristics-two-basis 
is an actual bug (even though this OID is not really used much,
especially after RFC 5480); the others are just typos that are
unlikely to cause significant confusion for anyone.

So, I would propose that we split this errata into two. The
first one would contain this, and would be marked "Verified":

Section 2.3.5 says:
      id-characteristic-two-basis OBJECT IDENTIFIER ::= {
           characteristic-two-field basisType(1) }
It should say:
      id-characteristic-two-basis OBJECT IDENTIFIER ::= {
           characteristic-two-field basisType(3) }

And the other one contains the three typos; we mark that as
"Held for Document Update".

(see http://www.ietf.org/iesg/statement/errata-processing.html 
for description about what these mean).

Tim, Russ, others: does this sound OK to you?

Best regards,
Pasi

> -----Original Message-----
> From: pkix-bounces <at> ietf.org [mailto:pkix-bounces <at> ietf.org] On Behalf Of
> ext Jim Wigginton
> Sent: 12 October, 2009 19:51
> To: Sean Turner
> Cc: pkix <at> ietf.org
> Subject: Re: [pkix] RFC 3279's section 2.3.5 at odds with section 3
> 
> I've submitted an errata!  Would have done so earlier but I'm not
> actually super familiar with the whole RFC process.
> 
> Anyway, I also included one other issue:
> 
> Section 3 defines { pkcs-1 5 } as follows:
> 
> sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 }
> 
> Section 2.2.2 defines it as follows:
> 
> sha-1WithRSAEncryption OBJECT IDENTIFIER ::= {
> iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
> pkcs-1(1) 5 }
> 
> ie. one has a dash and the other doesn't.
> 
> On Mon, Oct 12, 2009 at 7:55 AM, Sean Turner <turners <at> ieca.com> wrote:
> > Jim,
> >
> > RFC 3279 section 2.3.5 has been updated by RFC 5480.  I believe all
> of these
> > are addressed by that update. Comments inline.
> >
> > Jim Wigginton wrote:
> >>>
> >>> From RFC 3279#section-2.3.5:
> >>
> >> ----------------------------
> >>
> >>   ansi-X9-62 OBJECT IDENTIFIER ::=
> >>                             { iso(1) member-body(2) us(840) 10045 }
> >>
> >>   When certificates contain an ECDSA or ECDH public key, the
> >>   id-ecPublicKey algorithm identifier MUST be used. The id-
> ecPublicKey
> >>   algorithm identifier is defined as follows:
> >>
> >>     id-public-key-type OBJECT IDENTIFIER  ::= { ansi-X9.62 2 }
> >>
> >>     id-ecPublicKey OBJECT IDENTIFIER ::= { id-publicKeyType 1 }
> >>
> >> ----------------------------
> >>
> >> The "id-public-key-type OBJECT IDENTIFIER  ::= { ansi-X9.62 2 }"
> line
> >> in section 2.3.5 is problematic.  First, ansi-X9.62 isn't valid - it
> >> should be ansi-X9-62.  Second, id-ecPublicKey doesn't reference
> >> id-public-key-type - it references id-publicKeyType.  Section 3 of
> the
> >> RFC refers to it as id-publicKeyType, as well.
> >
> > We didn't use "asni-X9-62" instead we spelled out each component in
> the OID.
> >  It's more text overall, but I think clearer.
> >
> >> Also, from the same section 2.3.5...
> >>
> >> ----------------------------
> >>
> >>   ansi-X9-62 OBJECT IDENTIFIER ::=
> >>                             { iso(1) member-body(2) us(840) 10045 }
> >> ...
> >>      id-fieldType OBJECT IDENTIFIER ::= { ansi-X9-62 fieldType(1) }
> >> ...
> >>      characteristic-two-field OBJECT IDENTIFIER ::= { id-fieldType 2
> }
> >> ...
> >>      id-characteristic-two-basis OBJECT IDENTIFIER ::= {
> >>           characteristic-two-field basisType(1) }
> >> ...
> >>      gnBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 1 }
> >>
> >> ----------------------------
> >>
> >> Per all that, the OID of gnBasis should be 1.2.840.10045.1.2.1.1.
> >
> > In RFC 5480, we only allow namedCurve and prohibit the other two so
> this
> > issue is OBE there.
> >
> >> Here's what section 3 says:
> >>
> >> ----------------------------
> >>
> >>   ansi-X9-62 OBJECT IDENTIFIER ::= {
> >>        iso(1) member-body(2) us(840) 10045 }
> >> ...
> >>   id-fieldType OBJECT IDENTIFIER ::= { ansi-X9-62 fieldType(1) }
> >> ...
> >>   characteristic-two-field OBJECT IDENTIFIER ::= { id-fieldType 2 }
> >> ...
> >>   id-characteristic-two-basis OBJECT IDENTIFIER ::= {
> >>        characteristic-two-field basisType(3) }
> >> ...
> >>   gnBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 1 }
> >>
> >>
> >> ----------------------------
> >>
> >> Per all that, the OID of gnBasis should be 1.2.840.10045.1.2.3.1.
> >> oid-info.com suggests that the latter is correct:
> >>
> >> http://www.oid-info.com/get/1.2.840.10045.1.2.1.1
> >> http://www.oid-info.com/get/1.2.840.10045.1.2.3.1
> >
> > I went and looked in SECG.  The OID there is:
> >
> > gnBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 1 }
> >
> > id-characteristic-two-basis OBJECT IDENTIFIER ::= { characteristic-
> two-field
> > basisType(3) }
> >
> > characteristic-two-field OBJECT IDENTIFIER ::= { id-fieldType 2 }
> >
> > id-fieldType OBJECT IDENTIFIER ::= { ansi-X9-62 fieldType(1)}
> >
> > ansi-X9-62 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
> 10045}
> >
> > Stringing all that together: 1.2.840.10045.1.2.3.1 is the right OID
> for
> > gnBasis.
> >
> > Granted, I wouldn't mind an errata to fix the following:
> >
> > Replace "ansi-X9.62" with "ansi-X9-62" in Section 2.3.5.
> > Replace "id-public-key-type" with "id-publicKeyType" in Section
> 2.3.5.
> > Replace "basisType(2)" with "basisType(3)" in Section 2.3.5.
> >
> > Are you going to submit an errata to RFC 3279 for these?
> >
> > spt
> >
> _______________________________________________
> pkix mailing list
> pkix <at> ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix