[Cryptography] Why RSA-PSS is much less secure than PKCS #1 v1.5

Thierry Moreau thierry.moreau at connotech.com
Mon Nov 11 15:02:10 EST 2019

On 11/11/19 04:34 AM, Peter Gutmann wrote:
> There is a view that RSA-PSS (henceforth referred to as PSS) is more secure
> than PKCS #1 v1.5 (henceforth PKCS #1), [...]
> In practice however PSS is much less secure and vastly more brittle than
> PKCS #1 [...]

Executive summary: crypto coding is hard, watch out for algorithm agility.

> * It uses a stream cipher (XOR-mask) that allows you to make easily
>    predictable changes to the data.

(I did not review this aspect) This seems a very big newbie design 
error, hence ??!

> * The high level of complexity and special-case checks and operations make it
>    pretty much impossible to implement in a side-channel-free manner.

What is the relevance of a side-channel vulnerability for signature 
*validation* which handles only public data?

> At the moment there isn't an obvious attack that takes advantage of this
> beyond the obvious hash-substitution, but it gives the attacker an awful lot
> of control over the internals of the PSS verification operation.

That's it: implement any algorithm agility "feature" with a self-defense 
strategy -- always.

Relevant history: an RSA exponent 3 signature validation implementation 
flaw was wrongly described as "allowing the attacker to create valid 
signatures without the the private signature key" (or so) while it is 
the flawed validation that issued a false positive outcome.

- Thierry

P.S. Do we have an ASN.1 Org Id for CRC-256 hash algorithm?

More information about the cryptography mailing list