Everything you need to know about RSASSA-PSS
Read time: 10 minutes
Rivest Shamir Adleman (RSA) is an asymmetric algorithm that can be used for encrypting and signing data. The encryption and signing processes are performed through a series of modular multiplications. The security of the RSA algorithm can be increased by using longer key lengths, such as 1,024 bits or more—the longer the key length, however, the slower the encryption or signing process. It is one of the most popular and secure public-key encryption methods. There are two different RSA signature schemes specified in the PKCS1
- RSASSA-PKCS1-v1_5: old Signature Scheme with Appendix as first standardized in version 1.5 of PKCS #1.
- RSASSA-PSS (RSASSA = RSA Signature Scheme with Appendix): based on the Probabilistic Signature Scheme (PSS) originally invented by Bellare and Rogaway.
Difference between RSASSA-PKCS1-v1_5 and RSASSA-PSS:
|PKCSV1_5 is deterministic||It is randomized thereby producing a different value of signature each time|
|Message digest value can be extracted from a PKCSV1_5 signature||It cannot be extracted from a PSS signature but can only be verified against a known message digest value|
|Less secure and robust||PSS has security proof and is more robust than PKCSV1_5|
|It’s an old scheme||It’s a new scheme|
|It is recommended for compatibility with the existing signature application||It is recommended for compatibility with existing signature applications It is recommended for eventual adoption in new signature applications as it does not contain certain critical points of the older standard|
Attacks on old signature schemes
- The Bleichenbacher attack
In 1998, Daniel Bleichenbacher found out that the messages returned by SSL servers for errors in Public-Key Cryptography Standards (PKCS) #1 version 1.5 padding enabled an adaptive-chosen ciphertext attack, in which an attacker sends a series of ciphertexts to be decrypted, and then uses the results of these decryptions to select subsequent ciphertexts. This allowed an attacker to perform RSA decryption and signing operations using the private key of a TLS server, completely breaking the confidentiality of TLS when used with RSA encryption.
- Fault-based attack
In 1996, Dan Boneh and others presented an attack on RSA doing faulty calculations. By injecting random faults into the calculations of RSA, they were able to regenerate the private key from the knowledge of the faulty signatures. RSA implementations using the Chinese remainder theorem to speed up calculations are especially vulnerable – a single erroneous signature allows the regeneration of the private key.
Protection against fault-based attacks like this is especially important in embedded devices like chip cards that are built not to expose the private key, but to provide cryptographic operations like signatures in an environment potentially under the control of an attacker. But in further studies, it has been established that PSS is not vulnerable to these fault-based attacks.
RSASSA-PSS is an improved probabilistic signature scheme with an appendix. This means that a private RSA key can be used to sign the data in combination with random input. The other side of the communication can then verify the signature using the corresponding public RSA key. This signature scheme uses random data, so two signatures with the same input are different and both can be used to validate the original data.
- Hash Algorithm/Function
Hash functions are used in encryption schemes, signature schemes with appendix and various encoding methods. Hash functions are deterministic, meaning that the output is completely determined by the input. Hash functions take input strings of variable length and generate fixed length output strings.
- Mask Generation functions
A mask generation function takes an octet string of variable length and the desired output length as input and outputs an octet string of the desired length. Mask generation functions (MGF) are deterministic in nature. The output of a mask generation function should be pseudorandom, that is, if the seed to the function is unknown, it should be infeasible to distinguish the output from a truly random string.
The provable security of RSAES-OAEP and RSASSA-PSS relies on the random nature of the output of the mask generation function, which in turn relies on the random nature of the underlying hash.
- Salt length
It is the salt value associated with the signature operation. The field is intended to facilitate single-pass processing. If the field is omitted, the salt value shall be obtained from the signature. The salt value enhances the security of the scheme by affording a “tighter” security proof than deterministic alternatives such as Full Domain Hashing (FDH)
- Trailer field
It is used in the encoding operation and is an integer. The value MUST be 1, which represents the trailer field with hexadecimal value 0xBC.
Default value is SHA1, however SHA-256 is recommended
MGF1 needs to be used. mgf1SHA1 (the function MGF1 with SHA-1)
The default value is 20 but the convention is to use hLen, the length of the output of the hash function in bytes.
trailerFieldBC (the byte 0xbc)
It is recommended that the MGF hash function be similar to that of scheme hash algorithm/function, and that the salt length be hLen which is the length of the output of the hash function.
RSASSA-PSS is an improved signature scheme which contains an attachment. It uses an RSA private key to sign the data and thereafter, the recipient can verify this signature using the public RSA key. It has various parameters and is more secure and robust as compared to others.