Read time: 10 minutes
- RSASSA-PKCS1-v1_5: old Signature Scheme with Appendix as first standardized in version 1.5 of PKCS #1.
- RSASSA-PSS (RSASSA = RSA Signature Scheme with Appendix): based on Probabilistic Signature Scheme (PSS) originally invented by Bellare and Rogaway.
Difference between RSASSA-PKCS1-v1_5 and RSASSA-PSS:
|PKCSV1_5 is deterministic||It is randomized thereby producing a different value of signature each time|
|Message digest value can be extracted from a PKCSV1_5 signature||It cannot be extracted from a PSS signature but can only be verified against a known message digest value|
|Less secure and robust||PSS has a security proof and is more robust than PKCSV1_5|
|It’s an old scheme||It’s a new scheme|
|It is recommended for compatibility with existing signature application||It is recommended for compatibility with existing signature application It is recommended for eventual adoption in new signature applications as it does not contain certain critic points of the older standard|
Attacks on old signature schemes
- The Bleichenbacher attack
In 1998, Daniel Bleichenbacher found out that the messages returned by SSL servers for errors in Public-Key Cryptography Standards (PKCS) #1 version 1.5 padding enabled an adaptive-chosen ciphertext attack, in which an attacker sends a series of ciphertexts to be decrypted, and then uses the results of these decryptions to select subsequent ciphertexts. This allowed an attacker to perform RSA decryption and signing operations using the private key of a TLS server, completely breaking the confidentiality of TLS when used with RSA encryption.
- Fault-based attack
In 1996, Dan Boneh and others presented an attack on RSA doing faulty calculations. By injecting random faults into the calculations of RSA, they were able to regenerate the private key from the knowledge of the faulty signatures. RSA implementations using the Chinese remainder theorem to speed up calculations are especially vulnerable – a single erroneous signature allows the regeneration of the private key.
Protection against fault-based attacks like this is especially important in embedded devices like chip cards that are built not to expose the private key, but to provide cryptographic operations like signatures in an environment potentially under control of an attacker. But in further studies, it has been established that PSS is not vulnerable against these fault-based attacks.
- Hash Algorithm/Function
Hash functions are used in encryption schemes, signature schemes with appendix and various encoding methods. Hash functions are deterministic, meaning that the output is completely determined by the input. Hash functions take input strings of variable length and generate fixed length output strings.
- Mask Generation functions
A mask generation function takes an octet string of variable length and a desired output length as input, and outputs an octet string of the desired length. Mask generation functions (MGF) are deterministic in nature. The output of a mask generation function should be pseudorandom, that is, if the seed to the function is unknown, it should be infeasible to distinguish the output from a truly random string.
The provable security of RSAES-OAEP and RSASSA-PSS rely on the random nature of the output of the mask generation function, which in turn relies on the random nature of the underlying hash.
- Salt length
It is the salt value associated with the signature operation. The field is intended to facilitate single-pass processing. If the field is omitted, the salt value shall be obtained from the signature. The salt value enhances the security of the scheme by affording a “tighter” security proof than deterministic alternatives such as Full Domain Hashing (FDH)
- Trailer field
It is used in the encoding operation and is an integer. The value MUST be 1, which represents the trailer field with hexadecimal value 0xBC.
Default value is SHA1, however SHA-256 is recommended
MGF1 needs to be used. mgf1SHA1 (the function MGF1 with SHA-1)
The default value is 20 but the convention is to use hLen, the length of the output of the hash function in bytes.
trailerFieldBC (the byte 0xbc)