I'm using mbedTLS to generate RSA signatures, and using PKCS 1.5 I get consistent signature output.
I wanted to ask/confirm here that this is secure? There's surely got to be a reason for the PSS scheme, but some googling around left me feeling 1.5 is unbroken and 2.1 is just for a proof.
Consistent signatures a great for testing, and anything that RELIES on good entropy for security is a huge risk in my mind. So if someone can confirm my common sense isn't broken I'd much appreciated it.
Provided you follow PKCS#1 v1.5 verification exactly, and don't attempt shortcuts like checking only the hash part of the message hash representative, it should be fine. There's no security reduction to the RSA problem proven, like there is for RSA-FDH or RSASSA-PSS, and certainly no reduction to factorization, like there is for Rabin–Williams, but no weaknesses have been published in RSASSA-PKCS1-v1_5.
If you do take shortcuts like checking only the hash part of the message hash representative, you may set yourself up Coppersmith- or Bleichenbacher-style attacks when $e = 3$, like the attack poncho sketched a while back.
