[webauthn] Random prefixes to reduce hash requirement of RSA+SHA-1 to TCR from Adam Langley via GitHub on 2018-02-26 (public-webauthn@w3.org from February 2018)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Mon, 26 Feb 2018 16:30:52 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-300306174-1519662651-sysbot+gh@w3.org>

agl has just created a new issue for https://github.com/w3c/webauthn:

== Random prefixes to reduce hash requirement of RSA+SHA-1 to TCR ==
Just a thought that occurred over the weekend:

If there are concerns from COSE about adding RS1 (i.e. RSA with SHA-1) due to the well-known weakness of that hash function, we could instead define the signing operation to sample a random, 64-byte salt, sign the concatenation of the salt plus the message to be signed, and output the concatenation of the salt plus the PKCS#1 v1.5 signature, as the final signature.

This can be implemented using an RSA signing oracle so I believe it won't be a problem to implement with TPMs. It reduces the requirements of the hash function from collision-resistance to target collision-resistance[1]. This is a much weaker property and one which SHA-1 does a much better job at providing. Thus is may mollify some concerns.

This trick is already used in RFC 8032, by way of djb, in which it is called &ldquo;collision resilience&rdquo;. Although, in that construction, the private key is augmented with an additional secret that is used to derive the &ldquo;salt&rdquo; deterministically from the message to be signed. Since that would complicate things here, and since RSA doesn't have the critical uniqueness requirements that ECDSA & Schnorr signatures do, I suggest sampling it at random.

I picked 64 bytes because that's the block size of SHA-1 and thus the salt would effectively randomise the SHA-1 initial parameters.

If used, the RSA key in question would should not be used for traditional RSA signatures too as that could defeat domain-separation in a different protocol. (Although I don't believe that domain separation is much of a thing in the TPM space thus this worry may be moot.)

(cc @selfissued)

[1] See [Bellare & Rogaway `97](http://web.cs.ucdavis.edu/~rogaway/papers/tcr-hash.pdf).

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/822 using your GitHub account

Received on Monday, 26 February 2018 16:30:58 UTC