Re: [jose] RSA-OAEP vs RSA-OAEP-256
Les Hazlewood <lhazlewood@gmail.com> Wed, 11 May 2022 17:49 UTC
Return-Path: <lhazlewood@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C30B3C159493 for <jose@ietfa.amsl.com>; Wed, 11 May 2022 10:49:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jRVmHqbh9ygP for <jose@ietfa.amsl.com>; Wed, 11 May 2022 10:49:27 -0700 (PDT)
Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1794AC157B51 for <jose@ietf.org>; Wed, 11 May 2022 10:49:27 -0700 (PDT)
Received: by mail-yb1-xb31.google.com with SMTP id y76so5471731ybe.1 for <jose@ietf.org>; Wed, 11 May 2022 10:49:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WA2uiVtqw3nAnu5X+fxP2ntC8twawkJmWn6RZMYnSHQ=; b=kvf7PWCnrxdGeBdNT6lHzthvT4rEteKuM+mQNtnBAS5E18aUNH+NRfHhyrtr6lGDnr wsSX5wD4VpviDknjEQUiM5NELyWv7xF4p3OQ5kHBPO2QONGhL5VSvGGXXlpToXaWyebC YwG23AfDc1Y/GYOie9KAAmzQl5hkWMxWQeThWNKHWxeElsU4NhfiDqd1mhzHfMWl77M+ 2FKLuto/uGIYGbS29ZvwayWOA1NQkgAiTQJD+cMsa05sFIu+iSP48pojGyvKanXLfP5F i0s49uxfC65+lrTl7mubqlPSs5F/VP87PnhI9jDSC3QJZuqEt5YuMvfYzUeO27ypFjGl 7vsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WA2uiVtqw3nAnu5X+fxP2ntC8twawkJmWn6RZMYnSHQ=; b=OOt4bnZSCDfpmXYyQoCPSEOigxS6Vz5dJCFfR24a8wCGwtvlXGsO1oVB0NhNHH1xJX JqDZ9e4t0Jxc7/I93tyAhEIG8HBTeG46ZGtvtscFrwPDybkeGHzCs/yPF6GUKbdqIJbF mjvkLO1Xgpdc/XtFXwdKG30+aJ10T4Q/qJazhXwG6arcFOysvX0Sj09vbbuyWajoOVON +w2ICVMKyOfzhpcZd1Uk8empqo8Wdtw1AAj1Ey5vnHRrCmFIsrqwOBWr4eUTIpeoFYM0 Ysj1mMpoStyOJZsMMG8cUoXwmrTEmtZ8tnICtA4DDa1IIjUpUCTxnsH0bNbztU1ODQhk B1FA==
X-Gm-Message-State: AOAM533z6y4jRZsX0LYKtDPHixXij2pPPeGQ3d2cqoUJTJW/7uvCVxuW e6IS+jwV3vYxqHiP0ri9u9qJTzWW6CLfb6I6H4g=
X-Google-Smtp-Source: ABdhPJwcCtrkQ1wP2jYMY0gaaFb+4Afy9l6xr67MbHkVu40arnjrgvTV/UL+E28F5KRVVqS+GHvfDU76VMaXe0WEc1k=
X-Received: by 2002:a25:20a:0:b0:645:74e4:8cc9 with SMTP id 10-20020a25020a000000b0064574e48cc9mr24308184ybc.518.1652291365781; Wed, 11 May 2022 10:49:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAOtGrGL6Lx=JxrKOsaAexqWEHT4CA3w8rahz9tigHGX2HmRpoA@mail.gmail.com> <E085B827-08FF-4276-8793-97F677B8A51F@forgerock.com> <CAOtGrGKXQRiWSJEToPXD=pBrgAFdpbMs20HBAMBktpNk69h4sw@mail.gmail.com>
In-Reply-To: <CAOtGrGKXQRiWSJEToPXD=pBrgAFdpbMs20HBAMBktpNk69h4sw@mail.gmail.com>
From: Les Hazlewood <lhazlewood@gmail.com>
Date: Wed, 11 May 2022 10:49:15 -0700
Message-ID: <CACVbtYPgfmmoEeZMH3jT7wmxw+mKtdaoq+KsXgW-=F6Oc7v8aA@mail.gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
Cc: Neil Madden <neil.madden@forgerock.com>, jose@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ec43c305dec00f90"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/24UXl5I3zwugd6mHqlwkaBkX7Vs>
Subject: Re: [jose] RSA-OAEP vs RSA-OAEP-256
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2022 17:49:30 -0000
I could be wrong, but my current understanding of the `Recommended`, `Recommended+`, etc labels is that they are a signal to implementers (library authors) of what should be supported for completeness, not a cryptographic theory recommendation for application developers. - Les On Wed, May 11, 2022 at 5:19 AM Sergey Beryozkin <sberyozkin@gmail.com> wrote: > > > On Mon, May 9, 2022 at 8:40 AM Neil Madden <neil.madden@forgerock.com> > wrote: > >> >> On 6 May 2022, at 17:26, Sergey Beryozkin <sberyozkin@gmail.com> wrote: >> >> >> Hi Everyone >> >> I'm contributing to a project where `RSA-OAEP` [1] is currently a >> default key encryption algorithm for encrypting JWT claims and we've had a >> request to replace it with `RSA-OAEP-256` because `SHA-1` is used in >> `RSA-OAEP`. >> >> I'd like to ask the experts, why does `RSA-OAEP` have a `Recommended+` >> status, while `RSA-OAEP-256` - optional, at [1] ? >> >> Also, while it is not a JOSE specific question, I'd appreciate some >> comments on whether having an 'SHA-1' element in the `RSA-OAEP` encryption >> process makes `RSA-OAEP` less secure or not. My basic understanding, based >> on some Web search results, is that `RSA-OAEP` remains a secure algorithm. >> >> >> It may be better to ask this question of CFRG. I am not aware of any >> attacks on SHA-1 in the context of MGF1 at the current time. But that may >> be partly because nobody is looking for them: SHA-1 has been proven >> insecure, do cryptographers have to publicly break every individual use of >> it before people stop using it? >> >> > Thanks for your answer, it makes sense. But now I'm even more interested > in finding out why RSA-OAEP has a `Recommended+` status in the JOSE space > in [1], even though the JWA spec is outdated, it was known, when it was > created, that SHA-1 was insecure. > > Thanks, Sergey > > >> >> Thanks, Sergey >> >> [1] https://tools.ietf.org/html/rfc7518#section-4.3%5BRSA-OAEP%5D >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >> >> >> — Neil >> > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >
- [jose] RSA-OAEP vs RSA-OAEP-256 Sergey Beryozkin
- Re: [jose] RSA-OAEP vs RSA-OAEP-256 Neil Madden
- Re: [jose] RSA-OAEP vs RSA-OAEP-256 Sergey Beryozkin
- Re: [jose] RSA-OAEP vs RSA-OAEP-256 Les Hazlewood