Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [rsa-pss]

RSA-PSS (officially: RSASSA-PSS) is an RSA signature scheme that is provably reduced to the RSA problem.

In a Probabilistic Signature Scheme (), the signature depends on a random input, in addition to the private key and message.

RSASSA-PSS is one such scheme for RSA. That is, the only way to break RSASSA-PSS would be to solve the RSA problem itself, or the underlying hash. Whenever possible, RSASSA-PSS (or a de-randomized version, which remains compatible on the verifier side and is at least as secure) should be used in place of PKCS#1v1.5, which has no such proof.

42 questions
22
votes
3 answers

Is RSASSA-PKCS1-v1_5 a good signature scheme for new systems?

Is RSASSA-PKCS1-v1_5 a good signature scheme to recommend that people use in new systems? Is it believed to be secure and represent the state-of-the-art in RSA-based signatures? I understand that RSA-PSS is a newer signature scheme, also…
D.W.
  • 36,982
  • 13
  • 107
  • 196
17
votes
1 answer

Should I be using PKCS1 v1.5 or PSS for RSA signatures?

I am implementing an application where a user needs to sign some data that they have created, store it in an untrusted place, then later retrieve that data and verify it is still authentic before using it. The user already has a RSA keypair for…
izzle
  • 621
  • 1
  • 5
  • 12
14
votes
2 answers

What's the difference between rsa_pss_pss_* and rsa_pss_rsae_* schemes?

I'm trying to understand the difference between rsa_pss_pss_ and rsa_pss_rsae_. The picture shows the extension of TLS1.3's ClientHello. I view the OpenSSL code and find the rsa_pss_rsae_* scheme is corresponding to the scheme in Section 8.1 in…
Nail Jay
  • 317
  • 1
  • 2
  • 8
14
votes
1 answer

RSA-PSS salt size

One of the inputs of RSA-PSS signing and verification is the salt size. According to PKCS#1, you must know the salt size before the verification is carried out. However, this makes interoperability impossible: if, for example, I want my program to…
Conrado
  • 6,614
  • 1
  • 30
  • 45
11
votes
3 answers

What is RSA-PSS and how is it different from a hash?

I can't find any usable resources about it online (at least ones that make sense to me right now), so any links to articles or if you could explain it to me would be greatly appreciated. What I don't understand is what is PSS? I understand that RSA…
lougehrig10
  • 123
  • 1
  • 1
  • 5
10
votes
2 answers

What is the difference between RSASSA-PSS signing and RSA-PSS signing?

I read the RFC 8017 and understood the pkcsv1.5 and pss padding techniques. I understood that in RSASSA-PSS signing scheme the signature will be appended at the end of M. In some websites I read both RSASSA-PSS and RSA-PSS both are same, is it true?…
sg777
  • 485
  • 1
  • 4
  • 13
9
votes
3 answers

Why does OpenSSL differentiate between PSS and non-PSS for private key generation?

RSA-PSS private keys The following command will generate an RSA-PSS private key: openssl genpkey -algorithm rsa-pss -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -out CA.priKey Here's a sample one I just…
neubert
  • 2,969
  • 1
  • 29
  • 58
7
votes
2 answers

Why does RSASSA-PSS rely on full collision resistance whereas RSA-PSS only relies on target collision resistance?

This is sort-of a reply to the top answer given to this question, which states that whereas RSA-PSS, defined in terms of $H(r \ || \ M)$, only relies on target collision resistance and is secure even if MD5 is used (or at least was at the time of…
whatf0xx
  • 203
  • 1
  • 4
6
votes
1 answer

RSA PSS security advantage

To my humble opinion, please correct me if I'm wrong, RSA-PSS (PKCS#1 ver 2.1) advantage over RSA as described in PKCS#1 ver. 1.5 is in its security proofs. Does this proof and the advantage is still there even if the "salt" in the RSA-PSS scheme is…
Evgeni Vaknin
  • 1,155
  • 8
  • 20
6
votes
1 answer

Can RSA-PSS signing be made deterministic without loss of security?

Is it possible to make RSA-PSS signing deterministic without loss of security? Specifically, I would use Blake2b of the key and message to generate the salt.
Demi
  • 4,853
  • 1
  • 22
  • 40
5
votes
1 answer

RSASSA-PSS in TLS 1.2

I know it is possible to use RSASSA-PKCS1-v1_5 with client certificates in TLS 1.3. But what about the other way around: using RSASSA-PSS with client certificates in TLS 1.2? Is it possible to use RSASSA-PSS signed certificates with TLS 1.2 at all?…
phips
  • 53
  • 1
  • 5
5
votes
1 answer

What are I2OSP & OS2IP in RSA PKCS#1?

I started working with RSA two weeks ago. But I couldn't really understand how exactly I2OSP & OS2IP are working. I am using some open source for signature verification through RSA PSS algorithm. I am trying to generate "EM" from a signature of…
yellanki bhuvan
  • 51
  • 1
  • 2
4
votes
1 answer

Are RSA-PSS parameters standardized?

I wish to agree with a 3rd party on using RSA-PSS algorithm for a implementing a Digital Signature Scheme. I want to avoid selection of RSA parameters like salt length, hash algorithm etc at my side and share the required configuration…
user76827
  • 41
  • 2
4
votes
2 answers

Why does PSS produce an EM message that's almost as long as the modulus?

I try to understand the reasons behind the design of PSS scheme for RSA. Why is the length of the EM message (that is, the result of PSS transformation just before signing) equals approximately to the size of the modulus? Why PSS does not use a last…
Dingo13
  • 2,917
  • 3
  • 29
  • 46
4
votes
1 answer

Is Bypassing Padding Verification in RSA-PSS Dangerous?

I am currently working on a project involving RSA-PSS (Probabilistic Signature Scheme) for digital signatures. While researching potential vulnerabilities, I came across the well-known Bleichenbacher attack, which primarily targets PKCS1 v1.5…
user113612
  • 41
  • 1
1
2 3