Join Log in
Score:0
avatar Crypto

Is RSA in ciphersuites secure?

us flag
miklo009

Ciphersuite website says TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is secure but how do I know which RSA is used for the signature generation? If its the hashed one, where you hash the message before signing it, cant an attacker still generate valid signatures where he computes: (message,signature):( hash(m)^e , hash(m) ) and it is a valid signature?

51
0 + 0
kelalaka avatar
in flag
kelalaka
It is your signature, so you can choose whatever you want, keep in mind that you can have [timout](https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384/). Signature performed on your private key, not on your the public key!
0
Reply
us flag
miklo009
@kelalaka I mean, an attacker could forge that signature using the public key since: (m^e, m) = (m^e, m^e*d mod n). He doesnt need the private key since he knows the result of adding private key to m^e would be m
0
Reply
kelalaka avatar
in flag
kelalaka
In signatures, RSA uses special padding, [RSA-PSS](https://en.wikipedia.org/wiki/Probabilistic_signature_scheme), it is secure. What you described is called textbook-RSA signature.
0
Reply
us flag
miklo009
@kelalaka thanks, but how do I know which RSA is used in this certain ciphersuite? Where can I read up on that?
0
Reply
kelalaka avatar
in flag
kelalaka
RFC your friend: https://datatracker.ietf.org/doc/html/rfc5246/#page-45
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
Note that in TLS 1.2 RFC specifies PKCS#1 v1.5 signatures, not PSS, more info [here](https://crypto.stackexchange.com/a/79669/1172). But PKCS#1 v1.5 signatures are still considered secure as well, so no change in that regard.
0
Reply
us flag
miklo009
@MaartenBodewes whats the difference between PSS and PKCS#1 v1.5? Is PSS "more safe", that it is used so well in TLS 1.3? Is PSS used in ECDSA?
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
It's randomized and has a security proof (on the padding, not RSA, it assumes RSA is secure). As the differences in detail, read the RFC for RSA / PKCS#1 v2.2
0
Reply
Score:2
poncho avatar Crypto
my flag
poncho

If its the hashed one, where you hash the message before signing it, cant an attacker still generate valid signatures where he computes: (message,signature):( hash(m)^e , hash(m) ) and it is a valid signature?

Actually, $hash(m)$ is extremely unlikely to be a valid signature for anything. When TLS uses RSA to sign, what we do is hash the transcript (that is, the sequence of records that occurred before the signature), apply padding to the hash, and then compute $pad(hash(transcript))^d$. That is, when TLS verifies the signature, it takes the signature, computes $signature^e$, and sees if that happens to be $pad(transcript)$. It is quite unlikely that $hash(m)^e$ will happen to have a valid padding pattern; the bytes of $hahs(m)^e$ would need to be the values 00 01 FF FF FF ... FF 00 <DER of hash function>

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.