Score:0

Is RSA in ciphersuites secure?

us flag

Ciphersuite website says TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is secure but how do I know which RSA is used for the signature generation? If its the hashed one, where you hash the message before signing it, cant an attacker still generate valid signatures where he computes: (message,signature):( hash(m)^e , hash(m) ) and it is a valid signature?

kelalaka avatar
in flag
It is your signature, so you can choose whatever you want, keep in mind that you can have [timout](https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384/). Signature performed on your private key, not on your the public key!
us flag
@kelalaka I mean, an attacker could forge that signature using the public key since: (m^e, m) = (m^e, m^e*d mod n). He doesnt need the private key since he knows the result of adding private key to m^e would be m
kelalaka avatar
in flag
In signatures, RSA uses special padding, [RSA-PSS](https://en.wikipedia.org/wiki/Probabilistic_signature_scheme), it is secure. What you described is called textbook-RSA signature.
us flag
@kelalaka thanks, but how do I know which RSA is used in this certain ciphersuite? Where can I read up on that?
kelalaka avatar
in flag
RFC your friend: https://datatracker.ietf.org/doc/html/rfc5246/#page-45
Maarten Bodewes avatar
in flag
Note that in TLS 1.2 RFC specifies PKCS#1 v1.5 signatures, not PSS, more info [here](https://crypto.stackexchange.com/a/79669/1172). But PKCS#1 v1.5 signatures are still considered secure as well, so no change in that regard.
us flag
@MaartenBodewes whats the difference between PSS and PKCS#1 v1.5? Is PSS "more safe", that it is used so well in TLS 1.3? Is PSS used in ECDSA?
Maarten Bodewes avatar
in flag
It's randomized and has a security proof (on the padding, not RSA, it assumes RSA is secure). As the differences in detail, read the RFC for RSA / PKCS#1 v2.2
Score:2
my flag

If its the hashed one, where you hash the message before signing it, cant an attacker still generate valid signatures where he computes: (message,signature):( hash(m)^e , hash(m) ) and it is a valid signature?

Actually, $hash(m)$ is extremely unlikely to be a valid signature for anything. When TLS uses RSA to sign, what we do is hash the transcript (that is, the sequence of records that occurred before the signature), apply padding to the hash, and then compute $pad(hash(transcript))^d$. That is, when TLS verifies the signature, it takes the signature, computes $signature^e$, and sees if that happens to be $pad(transcript)$. It is quite unlikely that $hash(m)^e$ will happen to have a valid padding pattern; the bytes of $hahs(m)^e$ would need to be the values 00 01 FF FF FF ... FF 00 <DER of hash function>

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.