Re: RSASSA-PSS using a wounded hash function



On Aug 24, 7:44 am, Noob <r...@xxxxxxxxx> wrote:
Tom St Denis wrote:
Noob wrote:

I'm using LTC to add RSASSA-PSS from to a slow (130 MHz) STB.
(Thanks for LTC ;-)

You're welcome, keep in mind there are no maintainers of LTC that I'm
aware of.  A few people have offered up to maintain it over the years
but I have yet to see a 1.18 release ... :-/

There are bugs in some of the ASN.1 [which is largely incomplete] and
a few other places which I won't really go into.

I used rsa_export and rsa_import. AFAIU, these functions rely on the ASN.1 code.

Are there bugs in that specific part of the ASN.1 implementation, or was that
use case (rsa_import and rsa_export) somewhat bug-free?

To be honest I don't remember the exact bugs it came up when I was
doing X.509 related stuff. Generally what you need for PKCS #1 is
fairly tame, and that code works so I suspect if that's all you're
doing you're fine.

The signature will only be as strong as it's weakest link, assuming
that's not your PK implementation it'll be the choice of hash.

What is considered the PK implementation?

The scope of that depends on your problem really. If it's a smartcard
system you'd want to check out side channels [time, power, etc]. If
an attacker can cause the device to process anything they throw at it
you have to make sure it's well formed, etc...

Tom
.