rsa pss in xmldsig
play

RSA-PSS in XMLDSig Position Paper W3C Workshop Mountain View 1 - PowerPoint PPT Presentation

Oct 21, 2022 •507 likes •669 views

RSA-PSS in XMLDSig Position Paper W3C Workshop Mountain View 1 25.09.2007 Konrad.Lanz@iaik.tugraz.at Konrad Lanz Digital Signature Services OASIS-DSS - IAIK (Inst. f. angew. Informationsverarbeitung und Kommunikation) - SIC

  1. RSA-PSS in XMLDSig Position Paper W3C Workshop Mountain View 1 25.09.2007 Konrad.Lanz@iaik.tugraz.at

  2. Konrad Lanz • Digital Signature Services OASIS-DSS - IAIK (Inst. f. angew. Informationsverarbeitung und Kommunikation) - SIC • Stiftung Secure Information and Communication Technology - TUG (Technische Universität Graz) • OASIS-DSS TC Voting Member • W3C - Zentrum für Sichere Informationstechnologie (A-SIT) - W3C XML CORE Working Group • Canonicalization (c14n) - XMSSMWG 2 25.09.2007 Konrad.Lanz@iaik.tugraz.at

  3. Introduction <Signature ID?> • Currently <SignedInfo> RSASSA-PKCS1-v1_5 <CanonicalizationMethod/> <SignatureMethod/> - Bleichenbacher (<Reference URI? > (<Transforms/>)? implementation vulnerability <DigestMethod/> <DigestValue/> </Reference>)+ </SignedInfo> • RSA-PSS <Sign atureValue > (<KeyInfo>)? - randomized method (<Object ID?>)* </Signature> • tighter security proof 3 25.09.2007 Konrad.Lanz@iaik.tugraz.at

  4. RSA-DSS Recognition/Adoption • Cryptographic Message Syntax (CMS, [RFC 3852]) - RSA-PSS signature method ([RFC 4056]). • DSS Draft [FIPS 186-3 Draft] - section 5.5 references [PKCS#1 v2.1] and considers RSA-PSS as approved. 4 25.09.2007 Konrad.Lanz@iaik.tugraz.at

  5. What do we need? • Namespace and identifiers for RSA-PSS • XML schema for the algorithm parameters 5 25.09.2007 Konrad.Lanz@iaik.tugraz.at

  6. Namespace Algorithm Identifiers • Namespace - http://www.w3.org/2007/09/xmldsig-pss • Algorithm Identifiers - SignatureMethod • http://www.w3.org/2007/09/xmldsig-pss/#rsa-pss - Mask Generation Function • http://www.w3.org/2007/09/xmldsig-pss/#mgf1 - Hash Functions • specified in XML encryption [XMLEnc] (SHA-256, SHA-512), [RFC4051] SHA-224 and SHA-384 • specified in [XMLDSig] SHA-1 6 25.09.2007 Konrad.Lanz@iaik.tugraz.at

  7. RSA-PSS Parameters • the digest method (dm) • the mask generation function (MGF) - the digest method if used in the MGF (mgf-dm) • the salt length (sl) • the usually constant trailer field (tf) 7 25.09.2007 Konrad.Lanz@iaik.tugraz.at

  8. Default (fixed values?) • NIST Drafts - moving away from SHA-1 to longer output lengths of the SHA family. - [FIPS 180 3 Draft], [NIST SP 800-107 Draft] and [NIST SP ‑ 800-57 Draft] • dm SHA-256 (SHA-1 [PKCS#1v2.1]) • MGF MGF1 - mgf-dm = dm (SHA-1) • sl length(dm)/8=32 byes (20 bytes) • tf 1 (corresponds to 0xbc) 8 25.09.2007 Konrad.Lanz@iaik.tugraz.at

  9. SHA-1 tarnished • SHA-1[NIST SP 800-57 Draft] - less than 80 bits of security, currently asses the security strength against collisions at 69 bits • successful collision attacks on SHA-1 - reduced SHA-1 • 2005 - 53 steps [WaYiYu] • 2006 - 64 steps [CaMeRe] • 2007 - 70 steps [MeReRei] - theoretical attacks on full version (80 steps) • 2005 - 2 69 op. [WaYiYu] announced 2 63 [WaYaYa] • 2007 - 2 60 op. announced [MeReRei] 9 25.09.2007 Konrad.Lanz@iaik.tugraz.at

  10. RFC 4055 RSA-PSS parameters • subjectPublicKeyInfo field of an X.509 certificate • parameters to be added to the signature - unless default values are used • … - dm = dm’ as in the key/certificate - MGF = MGF’ as in the key/certificate • dm-mgf = dm-mgf’ as in the key/certificate - sl >= sl’ as the one in the key/certificate - tf = tf’ as specified by the key/certificate (effective val) 10 25.09.2007 Konrad.Lanz@iaik.tugraz.at

  11. Examples • Example 1 defaults - SHA-256, MFG1 with SHA-256, <Signature ID?> default salt length 256/8=32 bytes, <SignedInfo> trailer = 1 (‘0xbc’) <CanonicalizationMethod/> • Example 2 <SignatureMethod/> (<Reference URI? > - SHA-512 , MFG1 with SHA-512, salt (<Transforms/>)? length of 512/8=64 bytes, trailer = 1. <DigestMethod/> • Example 3 <DigestValue/> </Reference>)+ - SHA-1 , MFG1 with SHA-1, salt length </SignedInfo> of 256/8=32 bytes, trailer = 1. <Sign atureValue > • Example 4 (<KeyInfo>)? - SHA-1, MFG1 with SHA-1, salt (<Object ID?>)* length of 32 bytes , trailer = 1. </Signature> 11 25.09.2007 Konrad.Lanz@iaik.tugraz.at

  12. Conclusion • RSA-PSS as a signature method • plain SHA-1 should not be default any more • SHA-256 as default hash algorithm • specification and approaches encoding the RSA-PSS parameters with the key or certificate has been discussed 12 25.09.2007 Konrad.Lanz@iaik.tugraz.at

  13. Thanks • Thanks for your Attention ! • References in position paper. 13 25.09.2007 Konrad.Lanz@iaik.tugraz.at

  14. JAVA • XML-DSig (JSR 105) - http://www.jcp.org/en/jsr/detail?id=105 • XML-Enc (JSR 106) - http://www.jcp.org/en/jsr/detail?id=106 14 25.09.2007 Konrad.Lanz@iaik.tugraz.at

  15. Thanks ! SIC – XSect Toolkit • IAIK XML Signature Library (IXSIL) Successor • Java XML Digital Signatures APIs (JSR105) • Java XML Digtial Encryption APIs (JSR106) • http://www.sic.st • http://jce.iaik.tugraz.at/sic/products/xml_security • Thanks for your Attention. 15 25.09.2007 Konrad.Lanz@iaik.tugraz.at

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Brian LaMacchia Agenda Guest lecture: Christian Rechberger, KU Leuven Towards SHA-3

Brian LaMacchia Agenda Guest lecture: Christian Rechberger, KU Leuven Towards SHA-3

Winter 2011 Josh Benaloh Brian LaMacchia Agenda Guest lecture: Christian Rechberger, KU Leuven Towards SHA-3 Message-based protocols S/MIME XMLDSIG &amp; XMLENC IPsec (depending on time) Design Charrette Part II

984 views • 75 slides
Issues with XML-Signature Syntax and Processing and Rectifying Approaches Jeff Hodges, Scott

Issues with XML-Signature Syntax and Processing and Rectifying Approaches Jeff Hodges, Scott

Issues with XML-Signature Syntax and Processing and Rectifying Approaches Jeff Hodges, Scott Cantor XMLdsig Workshop Mtv View 25-Sep-2007 Not about performance, per se Position paper was grouped under the title of performance, but

84 views • 6 slides
Widget security model based on MIDP and Web Application based on a security model with TLS/SSL

Widget security model based on MIDP and Web Application based on a security model with TLS/SSL

Widget security model based on MIDP and Web Application based on a security model with TLS/SSL and XMLDsig Claes Nilsson Technology Area Group Leader Web Browsing Marcus Liwell Technology Area Group Leader Security and DRM Rev 1

576 views • 12 slides
Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security

Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security

Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security Yiqun Lisa Yin Independent Consultant Recent Advances in Hash Collision Attacks Efficient collisions found for MD4, MD5 Improved techniques

800 views • 10 slides
Cryptography: Hash Functions, MACs (finish) Asymmetric Cryptography (start) Fall 2016 Ada (Adam)

Cryptography: Hash Functions, MACs (finish) Asymmetric Cryptography (start) Fall 2016 Ada (Adam)

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Hash Functions, MACs (finish) Asymmetric Cryptography (start) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan

567 views • 38 slides
CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security in Healthcare Li Xiong Healthcare security and privacy HIPAA overview Research survey on information security and privacy in healthcare

1.05k views • 57 slides
K Pre-Post Cloud Tutorial for accessing the K Global File Storage RIKEN R-CCS JULY 2, 2018

K Pre-Post Cloud Tutorial for accessing the K Global File Storage RIKEN R-CCS JULY 2, 2018

K Pre-Post Cloud Tutorial for accessing the K Global File Storage RIKEN R-CCS JULY 2, 2018 Access the GFS using SFTP (1/2) Users can access the K global file storage (GFS) via GFS-GW (GFS-gateway). In this slide, we explain a way to

51 views • 4 slides
Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Computational Complexity Provably-secure constructions Problems with provably-secure constructions Attempts at practical constructions Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark Quo Vadis

874 views • 20 slides
Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019

Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019

I5020 Computer Security Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License.

740 views • 53 slides
HTTP Mutual authentication and Web security Yutaka OIWA SAAG, IETF 80 Prague RESEARCH CENTER

HTTP Mutual authentication and Web security Yutaka OIWA SAAG, IETF 80 Prague RESEARCH CENTER

HTTP Mutual authentication and Web security Yutaka OIWA SAAG, IETF 80 Prague RESEARCH CENTER FOR INFORMATION SECURITY (RCIS) NATIONAL INSTITUTE OF ADVANCED INDUSTRIAL SCIENCE AND TECHNOLOGY (AIST) Web security Its importance no need to

404 views • 28 slides
Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go

Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go

Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go wrong on the web! Clients encounter malicious content Web servers are target of break-ins Fake content/servers trick users Data sent

446 views • 16 slides
Secure Coding Patterns Andreas Hallberg, TrueSec Trust Domain-Driven Security The Untrusted

Secure Coding Patterns Andreas Hallberg, TrueSec Trust Domain-Driven Security The Untrusted

Secure Coding Patterns Andreas Hallberg, TrueSec Trust Domain-Driven Security The Untrusted Pattern Immutability The Inverse Life Coach Pattern Trust The foundation of software security 1. Hello! Im Businessman Bob! 2. Hello! Im the

666 views • 66 slides
CS 204: Advanced Computer Networks Jiasi Chen Lectures: MWF 12:10-1pm Humanities and Social

CS 204: Advanced Computer Networks Jiasi Chen Lectures: MWF 12:10-1pm Humanities and Social

CS 204: Advanced Computer Networks Jiasi Chen Lectures: MWF 12:10-1pm Humanities and Social Sciences 1403 http://www.cs.ucr.edu/~jiasi/teaching/cs204_spring17/ 1 Why Networks? Supports the applications that we use today Social media

725 views • 46 slides
Modern Security Model for Linux Operating Systems Aleksander Zdyb S OFTWARE E NGINEER T IZEN P

Modern Security Model for Linux Operating Systems Aleksander Zdyb S OFTWARE E NGINEER T IZEN P

Aleksander Zdyb Modern Security Model for Linux Operating Systems Aleksander Zdyb S OFTWARE E NGINEER T IZEN P LATFORM S ECURITY a.zdyb@samsung.com https://github.com/azdyb Briefly about security requirements About Tizen operating system

920 views • 46 slides
Universit degli Studi di Napoli Federico II Corso di Applicazioni Telematiche a. a. 2008-2009

Universit degli Studi di Napoli Federico II Corso di Applicazioni Telematiche a. a. 2008-2009

Universit degli Studi di Napoli Federico II Corso di Applicazioni Telematiche a. a. 2008-2009 Simon Pietro Romano spromano@unina.it Corso AT AA2008-09 Simon Pietro Romano 1 Session Initiation Protocol (SIP) SIP overview

357 views • 32 slides
Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich

Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich

Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich with attack vectors to exploit. This presentation explores the many potential PostgreSQL external vulnerabilities and shows how they can be

318 views • 29 slides
Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke &lt;mail@danrl.de&gt;

Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke &lt;mail@danrl.de&gt;

Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke &lt;mail@danrl.de&gt; Wed Apr 18, 2012 University of the German Federal Armed Forces, Munich Slide 1 Outline History Design Goals SSL/TLS Stack

439 views • 15 slides
SSL and TLS SSL Secure Socket Layer TLS Transport Layer Security The common

SSL and TLS SSL Secure Socket Layer TLS Transport Layer Security The common

SSL and TLS SSL Secure Socket Layer TLS Transport Layer Security The common standards for securing network applications in Internet E.g., web browsing Essentially, standards to negotiate, set up, and apply crypto

2.93k views • 13 slides
Session Management e t Software and Web Security 2 a age Sess o sws2 Recall from last week

Session Management e t Software and Web Security 2 a age Sess o sws2 Recall from last week

1 Session Management e t Software and Web Security 2 a age Sess o sws2 Recall from last week Server and client, i ie. web application and browser, b li ti d b communicate by HTTP requests and responses HTTP response can be

631 views • 44 slides
Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons

Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons

Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons SSH Secure shell (remote login) IPSec IP Security suite, originally for use with IPv6 SSL/TLS Secure Sockets Layer / Transport Layer

322 views • 18 slides
Overview Trust Management mechanism. Overview Trust Management mechanism. Trust among parties

Overview Trust Management mechanism. Overview Trust Management mechanism. Trust among parties

P RIVACY -P RESERVING T RUST M ANAGEMENT M ECHANISMS FROM P RIVATE M ATCHING S CHEMES O RIOL F ARRS J OSEP D OMINGO -F ERRER A LBERTO B LANCO -J USTICIA Universitat Rovira i Virgili, Tarragona, Catalonia D ATA P RIVACY M ANAGEMENT 2013 Overview

1.26k views • 93 slides
CSCI-UA.9480 Introduction to Computer Security Session 1.4 Transport Layer Security Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 1.4 Transport Layer Security Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 1.4 Transport Layer Security Prof. Nadim Kobeissi 1.4a HTTPS and TLS 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi What is TLS? The S in HTTP S . Most likely

852 views • 35 slides
CSE 127: Introduction to Security Lecture 15: TLS Deian Stefan UCSD Fall 2019 Material from

CSE 127: Introduction to Security Lecture 15: TLS Deian Stefan UCSD Fall 2019 Material from

CSE 127: Introduction to Security Lecture 15: TLS Deian Stefan UCSD Fall 2019 Material from Nadia Heninger, Dan Boneh, Stefan Savage Reminder: Network Attacker Threat Model Network Attacker: Controls infrastructure: Routers, DNS

1.29k views • 76 slides
Flying the Unfriendly Skies: Overcoming Obstacles in Legacy Simulations to Improve Training John

Flying the Unfriendly Skies: Overcoming Obstacles in Legacy Simulations to Improve Training John

Flying the Unfriendly Skies: Overcoming Obstacles in Legacy Simulations to Improve Training John Williamson, Jennifer Lewis john.e.williamson@saic.com jennifer.e.lewis@saic.com 4 Experienced Development Team 5 INTRODUCTION 1,211 Pilot

574 views • 25 slides

More recommend