Presentation is loading. Please wait.

Presentation is loading. Please wait.

Position Paper W3C Workshop Mountain View

Published byErica Morss Modified over 9 years ago

Similar presentations

Presentation on theme: "Position Paper W3C Workshop Mountain View"— Presentation transcript:

1 Position Paper W3C Workshop Mountain View
RSA-PSS in XMLDSig Position Paper W3C Workshop Mountain View

2 Konrad Lanz Digital Signature Services OASIS-DSS
IAIK (Inst. f. angew. Informationsverarbeitung und Kommunikation) SIC Stiftung Secure Information and Communication Technology TUG (Technische Universität Graz) OASIS-DSS TC Voting Member W3C Zentrum für Sichere Informationstechnologie (A-SIT) W3C XML CORE Working Group Canonicalization (c14n) XMSSMWG Oasis: Organization for the Advancement of Structured Information Standards (

3 Introduction Currently RSASSA-PKCS1-v1_5 RSA-PSS
Bleichenbacher implementation vulnerability RSA-PSS randomized method tighter security proof <Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> (<Reference URI? > (<Transforms/>)? <DigestMethod/> <DigestValue/> </Reference>)+ </SignedInfo> <SignatureValue> (<KeyInfo>)? (<Object ID?>)* </Signature>

4 RSA-DSS Recognition/Adoption
Cryptographic Message Syntax (CMS, [RFC 3852]) RSA-PSS signature method ([RFC 4056]). DSS Draft [FIPS Draft] section 5.5 references [PKCS#1 v2.1] and considers RSA-PSS as approved. [RFC 4056] Use of the RSASSA-PSS Signature Algorithm in Cryptographic Message Syntax (CMS)

5 What do we need? Namespace and identifiers for RSA-PSS
XML schema for the algorithm parameters

6 Namespace Algorithm Identifiers
Algorithm Identifiers SignatureMethod Mask Generation Function Hash Functions specified in XML encryption [XMLEnc] (SHA-256, SHA-512), [RFC4051] SHA-224 and SHA-384 specified in [XMLDSig] SHA-1

7 RSA-PSS Parameters the digest method (dm)
the mask generation function (MGF) the digest method if used in the MGF (mgf-dm) the salt length (sl) the usually constant trailer field (tf)

8 Default (fixed values?)
NIST Drafts - moving away from SHA-1 to longer output lengths of the SHA family. [FIPS 180‑3 Draft], [NIST SP  Draft] and [NIST SP Draft] dm SHA-256 (SHA-1 [PKCS#1v2.1]) MGF MGF1 mgf-dm = dm (SHA-1) sl length(dm)/8=32 byes (20 bytes) tf 1 (corresponds to 0xbc)

9 SHA-1 tarnished SHA-1[NIST SP 800-57 Draft]
less than 80 bits of security, currently asses the security strength against collisions at 69 bits successful collision attacks on SHA-1 reduced SHA-1 steps [WaYiYu] steps [CaMeRe] steps [MeReRei] theoretical attacks on full version (80 steps) op. [WaYiYu] announced 263 [WaYaYa] op. announced [MeReRei] "recent successful collision search attacks" ein paar Korrekturen und weitere Infos: wirkliche Kollisionen: *Wang hat für 53-step variante collision gezeigt. (2005) *Wir (Christophe und ich) für 64-steps (2006) *Wir (Christophe, Florian und ich) für 70 steps. (Referenz, "Collisions for 70-step SHA-1: On The Full Cost of Collision Search, SAC 2007) Theoretische Attacken auf 80-step SHA-1: * Wang, 269,   Announcement ohne Details: 263 * wir (Florian, ich und Vincent) haben kürzlich eine neue Attacke mit 260 Operationen angekündigt (auch ohne Details)  Referenz: CRYPTO Rump Session 2006, "Update on SHA-1"

10 RFC 4055 RSA-PSS parameters
subjectPublicKeyInfo field of an X.509 certificate parameters to be added to the signature unless default values are used dm = dm’ as in the key/certificate MGF = MGF’ as in the key/certificate dm-mgf = dm-mgf’ as in the key/certificate sl >= sl’ as the one in the key/certificate tf = tf’ as specified by the key/certificate (effective val)

11 Examples Example 1 defaults Example 2 Example 3 Example 4
SHA-256, MFG1 with SHA-256, default salt length 256/8=32 bytes, trailer = 1 (‘0xbc’) Example 2 SHA-512, MFG1 with SHA-512, salt length of 512/8=64 bytes, trailer = 1. Example 3 SHA-1, MFG1 with SHA-1, salt length of 256/8=32 bytes, trailer = 1. Example 4 SHA-1, MFG1 with SHA-1, salt length of 32 bytes, trailer = 1. <Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> (<Reference URI? > (<Transforms/>)? <DigestMethod/> <DigestValue/> </Reference>)+ </SignedInfo> <SignatureValue> (<KeyInfo>)? (<Object ID?>)* </Signature>

12 Conclusion RSA-PSS as a signature method
plain SHA-1 should not be default any more SHA-256 as default hash algorithm specification and approaches encoding the RSA-PSS parameters with the key or certificate has been discussed

13 Thanks Thanks for your Attention ! References in position paper.
[FIN-BLEICH] Hal Finney: Bleichenbacher’s RSA signature forgery based on implementation error, 17 Aug. 2006, [PKCS#1v1.5] PKCS#1 v1.5: RSA Encryption Standard RSA Laboratories; 1 Nov. 1993, ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1.asc [PKCS#1v2.1] PKCS#1 v2.1: RSA Cryptography Standard RSA Laboratories; 14 June 2002, ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf [RFC 3852] Russ Housley: Cryptographic Message Syntax (CMS); RFC 3852; July 2004, [RFC4051] D. Eastlake 3rd: Additional XML Security Uniform Resource Identifiers (URIs) ; RFC 4051; Apr. 2005 [RFC 4055] Jim Schaad: Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile; RFC 4055; June 2005 [RFC 4056] Jim Schaad: Use of the RSASSA-PSS Signature Algorithm in Cryptographic Message Syntax (CMS); RFC 4056; June 2005 [XMLDSig] XML-Signature Syntax and ProcessingW3C Recommendation 12 Feb. 2002, [XMLEnc] XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002 [KAL-PSS] Burt Kaliski: Raising the Standard for RSA Signatures: RSA-PSS, RSA Laboratories 26 Feb. 2003, [FIPS Draft] Digital Signature Standard (DSS) FIPS 186-3, March [FIPS Draft] Secure Hash Standard (SHS), June 2007, [NIST SP Draft] Recommendation for Using Approved Hash Algorithms, NIST July 2007, [NIST SP Draft] Recoomendation for Key Management, NIST March 2007, [CaRe] Christophe De Canniere, Christian Rechberger: Finding SHA-1 Characteristics; Presented at the Second NIST Cryptographic Hash Workshop (Santa Barbara, California, USA, August 2006), to appear at ASIACRYPT 2006 [WaYaYa] Xiaoyun Wang, Andrew Yao, Frances Yao: Cryptanalysis of SHA-1. Presented at the First NIST Cryptographic Hash Workshop, Oktober 2005 [WaYiYu] Xiaoyun Wang, Yiqun Lisa Yin, Hongbo Yu: Finding Collisions in the full SHA-1; CRYPTO 2005 (Santa Barbara, California, USA, August 2005) Proceedings, volume 3621of LNCS, pages 17–36. Springer, 2005.(editor: Victor Shoup)

14 JAVA XML-DSig (JSR 105) XML-Enc (JSR 106)
XML-Enc (JSR 106)

15 Thanks ! SIC – XSect Toolkit
IAIK XML Signature Library (IXSIL) Successor Java XML Digital Signatures APIs (JSR105) Java XML Digtial Encryption APIs (JSR106) Thanks for your Attention.

Download ppt "Position Paper W3C Workshop Mountain View"

Similar presentations

GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |

GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |
XML Encryption Prabath Siriwardena Director, Security Architecture.

XML Encryption Prabath Siriwardena Director, Security Architecture.
Cryptography and Network Security

Cryptography and Network Security
Outline Project 1 Hash functions and its application on security Modern cryptographic hash functions and message digest –MD5 –SHA.

Outline Project 1 Hash functions and its application on security Modern cryptographic hash functions and message digest –MD5 –SHA.
Information Security Principles & Applications Topic 4: Message Authentication 虞慧群

Information Security Principles & Applications Topic 4: Message Authentication 虞慧群
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.

Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.

Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.
SHA (secure hash algorithm) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.

SHA (secure hash algorithm) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Chapter 3 Encryption Algorithms & Systems (Part C)

Chapter 3 Encryption Algorithms & Systems (Part C)
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.

Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.
Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.

Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.

Similar presentations

Ads by Google