rsa_pss_pss_*/rsa_pss_rsae_* and TLS_RSA_*/TLS_ECDHE_RSA_*

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

rsa_pss_pss_*/rsa_pss_rsae_* and TLS_RSA_*/TLS_ECDHE_RSA_*

John Jiang
Using OpenSSL 1.1.1-pre7

Please consider the following cases and handshaking results:
1. rsa_pss_pss_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suite
Handshaking failed with no suitable cipher

2. rsa_pss_pss_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite
Handshaking succeeded.

3. rsa_pss_rsae_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suite
Handshaking succeeded.

4. rsa_pss_rsae_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite
Handshaking succeeded.

Why did case 1 fail?

Thanks!

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: rsa_pss_pss_*/rsa_pss_rsae_* and TLS_RSA_*/TLS_ECDHE_RSA_*

Jakob Bohm-7
On 19/06/2018 15:40, John Jiang wrote:

> Using OpenSSL 1.1.1-pre7
>
> Please consider the following cases and handshaking results:
> 1. rsa_pss_pss_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384
> cipher suite
> Handshaking failed with no suitable cipher
>
> 2. rsa_pss_pss_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> cipher suite
> Handshaking succeeded.
>
> 3. rsa_pss_rsae_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384
> cipher suite
> Handshaking succeeded.
>
> 4. rsa_pss_rsae_256 certificate +
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite
> Handshaking succeeded.
>
> Why did case 1 fail?
The TLS_RSA_ cipher suites require that the premaster secret
is encrypted with the RSA key in the servers certificate.
But an rsa_pss_pss_256 certificate (have not seen that notation
before) is probably a signing-only certificate, that says not
to encrypt anything with its RSA key.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: rsa_pss_pss_*/rsa_pss_rsae_* and TLS_RSA_*/TLS_ECDHE_RSA_*

John Jiang
2018-06-19 23:11 GMT+08:00 Jakob Bohm <[hidden email]>:
On 19/06/2018 15:40, John Jiang wrote:
Using OpenSSL 1.1.1-pre7

Please consider the following cases and handshaking results:
1. rsa_pss_pss_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suite
Handshaking failed with no suitable cipher

2. rsa_pss_pss_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite
Handshaking succeeded.

3. rsa_pss_rsae_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suite
Handshaking succeeded.

4. rsa_pss_rsae_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite
Handshaking succeeded.

Why did case 1 fail?
The TLS_RSA_ cipher suites require that the premaster secret
is encrypted with the RSA key in the servers certificate.
But an rsa_pss_pss_256 certificate (have not seen that notation
before) is probably a signing-only certificate, that says not
to encrypt anything with its RSA key.
Why does rsa_pss_rsae_256 + TLS_RSA_* work?
It sounds that rsa_pss_pss_256 and rsa_pss_rsae_256 are the same signature scheme.

Thanks!

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: rsa_pss_pss_*/rsa_pss_rsae_* and TLS_RSA_*/TLS_ECDHE_RSA_*

Hubert Kario
On Wednesday, 20 June 2018 07:51:11 CEST John Jiang wrote:

> 2018-06-19 23:11 GMT+08:00 Jakob Bohm <[hidden email]>:
> > On 19/06/2018 15:40, John Jiang wrote:
> >> Using OpenSSL 1.1.1-pre7
> >>
> >> Please consider the following cases and handshaking results:
> >> 1. rsa_pss_pss_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher
> >> suite
> >> Handshaking failed with no suitable cipher
> >>
> >> 2. rsa_pss_pss_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> >> cipher suite
> >> Handshaking succeeded.
> >>
> >> 3. rsa_pss_rsae_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher
> >> suite
> >> Handshaking succeeded.
> >>
> >> 4. rsa_pss_rsae_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> >> cipher suite
> >> Handshaking succeeded.
> >>
> >> Why did case 1 fail?
> >
> > The TLS_RSA_ cipher suites require that the premaster secret
> > is encrypted with the RSA key in the servers certificate.
> > But an rsa_pss_pss_256 certificate (have not seen that notation
> > before) is probably a signing-only certificate, that says not
> > to encrypt anything with its RSA key.
>
> Why does rsa_pss_rsae_256 + TLS_RSA_* work?
> It sounds that rsa_pss_pss_256 and rsa_pss_rsae_256 are the same signature
> scheme.
because certificate that is usable for rsa_pss_rsae_sha256 signatures has a
rsaEncryption Subject Public Key Info, that means it is generally usable both
for encrypting the premaster key (TLS_RSA_* ciphers) and making signatures of
its own (TLS_ECDHE_RSA_* ciphers), unless the KeyUsage X509v3 extension
doesn't say otherwise...

certificate that has a rsassa-pss Subject Public Key Info key is usable *only*
for making rsassa-pss signatures (or rsa_pss_pss_* signatures)
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

signature.asc (849 bytes) Download Attachment