Re: [jose] RSA-OAEP vs RSA-OAEP-256

Sergey Beryozkin <sberyozkin@gmail.com> Wed, 11 May 2022 12:19 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EF10C1850C2 for <jose@ietfa.amsl.com>; Wed, 11 May 2022 05:19:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1PLNOewelMk9 for <jose@ietfa.amsl.com>; Wed, 11 May 2022 05:19:27 -0700 (PDT)
Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DCA5C1850C8 for <jose@ietf.org>; Wed, 11 May 2022 05:18:49 -0700 (PDT)
Received: by mail-il1-x129.google.com with SMTP id f5so1243645ilj.13 for <jose@ietf.org>; Wed, 11 May 2022 05:18:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1tgq3I/mcQkSaZOmyK3dwdCZ1aCVolipMUyZeAr/0Pw=; b=Yfz7RjRc+BcTDKC7SlfFuBnwhMLzVJ6RMywGC4pGe8tq3g+p1DuvcxXhNoPJvjQjEe 1jJ3Rj0+VAtsnSrNHSh72iY+9SWio0RRE66Ms3mCFsZSfXOly3INwE66J7uSQdTv9+Kh OlWUg1SBb80njCJPmyhnHC7Oc92c8qbrZOKCX5Lr2GwTJIcCvGO4Z4BN3ecjZ9XJ/uRr 3Uf0qtnAzlQO01BqrE3sC9ou8x7s29RmZNxArERdjrQb53t2IMeUxMzGenZNwVEHVE9J ZPzoEyCWrWdi3JjWCZzuESi4uJZSZDnYgf3t4gKnNjsTM9B6kePDwGkmBVa9YqaU0Zsl 8raQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1tgq3I/mcQkSaZOmyK3dwdCZ1aCVolipMUyZeAr/0Pw=; b=f8NkMS/PzIXklRSAZ2/NKWx07vhtmFdha2mQ5kTUDtXO4ZJijTyuMUD0EA8wyprw6y Lb8SjqxdnUf5wrd5Nz8jYjhZOkxRu6yMCdloESerACS0sZppbQvdXxLhZjnTeAYWU2X5 FA/OanR1nP8OrSGWSJNgZ7UJFtvIvCEAjEORKbHovGhE4TlFv4SGAyyWtvTegxM8OpYT RPnJmxXN205rIwzwRghv4Slco5pL5jOozKzxSur2ev93tJHAi38KI7xw9Vg6aMBDfnJV dV/CjNU9TsEOKqvqDWdLNLrkNia9nA5Sf7NScwSfXwJVH6sUZF2O5qxHTxWFbm8BXqqa sYNQ==
X-Gm-Message-State: AOAM530xmjFMqFYJ5cr2rpzp2o8CDCcCVV+wBeqr3fPbSbzTdehONG0a t95gfa+y5WZmLsMnyk3krQkKo6T6YYTtAgm4CbI=
X-Google-Smtp-Source: ABdhPJwm2FPAgpi8PnqoI+jNyRFy04MY1TFRhHolbqZq/SkEQNtvA7w5JivjSOxa/RE1PWaSSWsjUTxPXxpjKvoiI4Y=
X-Received: by 2002:a05:6e02:2146:b0:2cf:87ae:ddb0 with SMTP id d6-20020a056e02214600b002cf87aeddb0mr10455750ilv.188.1652271528035; Wed, 11 May 2022 05:18:48 -0700 (PDT)
MIME-Version: 1.0
References: <CAOtGrGL6Lx=JxrKOsaAexqWEHT4CA3w8rahz9tigHGX2HmRpoA@mail.gmail.com> <E085B827-08FF-4276-8793-97F677B8A51F@forgerock.com>
In-Reply-To: <E085B827-08FF-4276-8793-97F677B8A51F@forgerock.com>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Date: Wed, 11 May 2022 13:18:37 +0100
Message-ID: <CAOtGrGKXQRiWSJEToPXD=pBrgAFdpbMs20HBAMBktpNk69h4sw@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: jose@ietf.org
Content-Type: multipart/alternative; boundary="00000000000080487a05debb71a1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/2evj0Q4dVAszHGSncmhW49RUXJc>
Subject: Re: [jose] RSA-OAEP vs RSA-OAEP-256
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2022 12:19:31 -0000

On Mon, May 9, 2022 at 8:40 AM Neil Madden <neil.madden@forgerock.com>
wrote:

>
> On 6 May 2022, at 17:26, Sergey Beryozkin <sberyozkin@gmail.com> wrote:
>
> 
> Hi Everyone
>
> I'm contributing to a project where `RSA-OAEP`  [1] is currently a default
> key encryption algorithm for encrypting JWT claims and we've had a request
> to replace it with `RSA-OAEP-256` because `SHA-1` is used in `RSA-OAEP`.
>
> I'd like to ask the experts, why does `RSA-OAEP` have a `Recommended+`
> status, while `RSA-OAEP-256` - optional, at [1] ?
>
> Also, while it is not a JOSE specific question, I'd appreciate some
> comments on whether having an 'SHA-1' element in the `RSA-OAEP` encryption
> process makes `RSA-OAEP` less secure or not. My basic understanding, based
> on some Web search results, is that `RSA-OAEP` remains a secure algorithm.
>
>
> It may be better to ask this question of CFRG. I am not aware of any
> attacks on SHA-1 in the context of MGF1 at the current time. But that may
> be partly because nobody is looking for them: SHA-1 has been proven
> insecure, do cryptographers have to publicly break every individual use of
> it before people stop using it?
>
>
Thanks for your answer, it makes sense. But now I'm even more interested in
finding out why RSA-OAEP has a  `Recommended+` status in the JOSE space in
[1], even though the JWA spec is outdated, it was known, when it was
created, that SHA-1 was insecure.

Thanks, Sergey


>
> Thanks, Sergey
>
> [1] https://tools.ietf.org/html/rfc7518#section-4.3%5BRSA-OAEP%5D
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>
> — Neil
>