Presentation is loading. Please wait.

Presentation is loading. Please wait.

Position Paper W3C Workshop Mountain View

Similar presentations

Presentation on theme: "Position Paper W3C Workshop Mountain View"— Presentation transcript:

1 Position Paper W3C Workshop Mountain View
RSA-PSS in XMLDSig Position Paper W3C Workshop Mountain View

2 Konrad Lanz Digital Signature Services OASIS-DSS
IAIK (Inst. f. angew. Informationsverarbeitung und Kommunikation) SIC Stiftung Secure Information and Communication Technology TUG (Technische Universität Graz) OASIS-DSS TC Voting Member W3C Zentrum für Sichere Informationstechnologie (A-SIT) W3C XML CORE Working Group Canonicalization (c14n) XMSSMWG Oasis: Organization for the Advancement of Structured Information Standards (

3 Introduction Currently RSASSA-PKCS1-v1_5 RSA-PSS
Bleichenbacher implementation vulnerability RSA-PSS randomized method tighter security proof <Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> (<Reference URI? > (<Transforms/>)? <DigestMethod/> <DigestValue/> </Reference>)+ </SignedInfo> <SignatureValue> (<KeyInfo>)? (<Object ID?>)* </Signature>

4 RSA-DSS Recognition/Adoption
Cryptographic Message Syntax (CMS, [RFC 3852]) RSA-PSS signature method ([RFC 4056]). DSS Draft [FIPS Draft] section 5.5 references [PKCS#1 v2.1] and considers RSA-PSS as approved. [RFC 4056] Use of the RSASSA-PSS Signature Algorithm in Cryptographic Message Syntax (CMS)

5 What do we need? Namespace and identifiers for RSA-PSS
XML schema for the algorithm parameters

6 Namespace Algorithm Identifiers
Algorithm Identifiers SignatureMethod Mask Generation Function Hash Functions specified in XML encryption [XMLEnc] (SHA-256, SHA-512), [RFC4051] SHA-224 and SHA-384 specified in [XMLDSig] SHA-1

7 RSA-PSS Parameters the digest method (dm)
the mask generation function (MGF) the digest method if used in the MGF (mgf-dm) the salt length (sl) the usually constant trailer field (tf)

8 Default (fixed values?)
NIST Drafts - moving away from SHA-1 to longer output lengths of the SHA family. [FIPS 180‑3 Draft], [NIST SP  Draft] and [NIST SP Draft] dm SHA-256 (SHA-1 [PKCS#1v2.1]) MGF MGF1 mgf-dm = dm (SHA-1) sl length(dm)/8=32 byes (20 bytes) tf 1 (corresponds to 0xbc)

9 SHA-1 tarnished SHA-1[NIST SP 800-57 Draft]
less than 80 bits of security, currently asses the security strength against collisions at 69 bits successful collision attacks on SHA-1 reduced SHA-1 steps [WaYiYu] steps [CaMeRe] steps [MeReRei] theoretical attacks on full version (80 steps) op. [WaYiYu] announced 263 [WaYaYa] op. announced [MeReRei] "recent successful collision search attacks" ein paar Korrekturen und weitere Infos: wirkliche Kollisionen: *Wang hat für 53-step variante collision gezeigt. (2005) *Wir (Christophe und ich) für 64-steps (2006) *Wir (Christophe, Florian und ich) für 70 steps. (Referenz, "Collisions for 70-step SHA-1: On The Full Cost of Collision Search, SAC 2007) Theoretische Attacken auf 80-step SHA-1: * Wang, 269,   Announcement ohne Details: 263 * wir (Florian, ich und Vincent) haben kürzlich eine neue Attacke mit 260 Operationen angekündigt (auch ohne Details)  Referenz: CRYPTO Rump Session 2006, "Update on SHA-1"

10 RFC 4055 RSA-PSS parameters
subjectPublicKeyInfo field of an X.509 certificate parameters to be added to the signature unless default values are used dm = dm’ as in the key/certificate MGF = MGF’ as in the key/certificate dm-mgf = dm-mgf’ as in the key/certificate sl >= sl’ as the one in the key/certificate tf = tf’ as specified by the key/certificate (effective val)

11 Examples Example 1 defaults Example 2 Example 3 Example 4
SHA-256, MFG1 with SHA-256, default salt length 256/8=32 bytes, trailer = 1 (‘0xbc’) Example 2 SHA-512, MFG1 with SHA-512, salt length of 512/8=64 bytes, trailer = 1. Example 3 SHA-1, MFG1 with SHA-1, salt length of 256/8=32 bytes, trailer = 1. Example 4 SHA-1, MFG1 with SHA-1, salt length of 32 bytes, trailer = 1. <Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> (<Reference URI? > (<Transforms/>)? <DigestMethod/> <DigestValue/> </Reference>)+ </SignedInfo> <SignatureValue> (<KeyInfo>)? (<Object ID?>)* </Signature>

12 Conclusion RSA-PSS as a signature method
plain SHA-1 should not be default any more SHA-256 as default hash algorithm specification and approaches encoding the RSA-PSS parameters with the key or certificate has been discussed

13 Thanks Thanks for your Attention ! References in position paper.
[FIN-BLEICH] Hal Finney: Bleichenbacher’s RSA signature forgery based on implementation error, 17 Aug. 2006, [PKCS#1v1.5] PKCS#1 v1.5: RSA Encryption Standard RSA Laboratories; 1 Nov. 1993, [PKCS#1v2.1] PKCS#1 v2.1: RSA Cryptography Standard RSA Laboratories; 14 June 2002, [RFC 3852] Russ Housley: Cryptographic Message Syntax (CMS); RFC 3852; July 2004, [RFC4051] D. Eastlake 3rd: Additional XML Security Uniform Resource Identifiers (URIs) ; RFC 4051; Apr. 2005 [RFC 4055] Jim Schaad: Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile; RFC 4055; June 2005 [RFC 4056] Jim Schaad: Use of the RSASSA-PSS Signature Algorithm in Cryptographic Message Syntax (CMS); RFC 4056; June 2005 [XMLDSig] XML-Signature Syntax and ProcessingW3C Recommendation 12 Feb. 2002, [XMLEnc] XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002 [KAL-PSS] Burt Kaliski: Raising the Standard for RSA Signatures: RSA-PSS, RSA Laboratories 26 Feb. 2003, [FIPS Draft] Digital Signature Standard (DSS) FIPS 186-3, March 2006 [FIPS Draft] Secure Hash Standard (SHS), June 2007, [NIST SP Draft] Recommendation for Using Approved Hash Algorithms, NIST July 2007, [NIST SP Draft] Recoomendation for Key Management, NIST March 2007, [CaRe] Christophe De Canniere, Christian Rechberger: Finding SHA-1 Characteristics; Presented at the Second NIST Cryptographic Hash Workshop (Santa Barbara, California, USA, August 2006), to appear at ASIACRYPT 2006 [WaYaYa] Xiaoyun Wang, Andrew Yao, Frances Yao: Cryptanalysis of SHA-1. Presented at the First NIST Cryptographic Hash Workshop, Oktober 2005 [WaYiYu] Xiaoyun Wang, Yiqun Lisa Yin, Hongbo Yu: Finding Collisions in the full SHA-1; CRYPTO 2005 (Santa Barbara, California, USA, August 2005) Proceedings, volume 3621of LNCS, pages 17–36. Springer, 2005.(editor: Victor Shoup)

14 JAVA XML-DSig (JSR 105) XML-Enc (JSR 106)
XML-Enc (JSR 106)

15 Thanks ! SIC – XSect Toolkit
IAIK XML Signature Library (IXSIL) Successor Java XML Digital Signatures APIs (JSR105) Java XML Digtial Encryption APIs (JSR106) Thanks for your Attention.

Download ppt "Position Paper W3C Workshop Mountain View"

Similar presentations

Ads by Google