* Can the RSA PSS salt length be changed?
@ 2024-06-29 10:04 Petr Gotthard
2024-07-01 6:06 ` Andreas.Fuchs
0 siblings, 1 reply; 2+ messages in thread
From: Petr Gotthard @ 2024-06-29 10:04 UTC (permalink / raw)
To: tpm2
Hello,
I have a question concerning the TCG specification.
OpenSSL has a function EVP_PKEY_CTX_set_rsa_pss_saltlen() that be used to set the RSA PSS salt length. Some implementations don't use the maximum possible salt length, but use a shorter value, e.g. set the salt length to the digest length (RSA_PSS_SALTLEN_DIGEST).
https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set_rsa_pss_saltlen.html
The TCG specification (Part 1, Section B.7) on the other hand says: For both restricted and unrestricted signing keys, the random salt length will be the largest size allowed by the key size and message digest size.
Does this mean that a TPM2.0 cannot handle shorter RSA PSS salt lengths, i.e. that the EVP_PKEY_CTX_set_rsa_pss_saltlen() function can never be implemented using any TPM? This might cause compatibility issues.
Regards,
Petr
^ permalink raw reply [flat|nested] 2+ messages in thread
* RE: Can the RSA PSS salt length be changed?
2024-06-29 10:04 Can the RSA PSS salt length be changed? Petr Gotthard
@ 2024-07-01 6:06 ` Andreas.Fuchs
0 siblings, 0 replies; 2+ messages in thread
From: Andreas.Fuchs @ 2024-07-01 6:06 UTC (permalink / raw)
To: petr.gotthard, tpm2
Hi Petr,
B.7 follows you quoted sentence with
NOTE If the TPM implementation is required to be compliant with FIPS 186-4, then the random salt length will be the largest size allowed by that specification.
So basically, the TPM has now way of setting it, but uses either the max length or the hash-size length (up to the vendor).
This was introduced after we found the incompatibilities as you mentioned.
By now, I would assume that implementations have switched to the hash-size based salt length following FIPS 186-4, but the only way to know is to check databooks or test.
Bests,
Andreas
-----Original Message-----
From: Petr Gotthard <petr.gotthard@centrum.cz>
Sent: Samstag, 29. Juni 2024 12:04
To: tpm2@lists.linux.dev
Subject: Can the RSA PSS salt length be changed?
Caution: This e-mail originated outside Infineon Technologies. Please be cautious when sharing information or opening attachments especially from unknown senders. Refer to our intranet guide<https://intranet-content.infineon.com/explore/aboutinfineon/rules/informationsecurity/ug/SocialEngineering/Pages/SocialEngineeringElements_en.aspx> to help you identify Phishing email.
Hello,
I have a question concerning the TCG specification.
OpenSSL has a function EVP_PKEY_CTX_set_rsa_pss_saltlen() that be used to set the RSA PSS salt length. Some implementations don't use the maximum possible salt length, but use a shorter value, e.g. set the salt length to the digest length (RSA_PSS_SALTLEN_DIGEST).
https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set_rsa_pss_saltlen.html
The TCG specification (Part 1, Section B.7) on the other hand says: For both restricted and unrestricted signing keys, the random salt length will be the largest size allowed by the key size and message digest size.
Does this mean that a TPM2.0 cannot handle shorter RSA PSS salt lengths, i.e. that the EVP_PKEY_CTX_set_rsa_pss_saltlen() function can never be implemented using any TPM? This might cause compatibility issues.
Regards,
Petr
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-07-01 6:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-06-29 10:04 Can the RSA PSS salt length be changed? Petr Gotthard
2024-07-01 6:06 ` Andreas.Fuchs
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox