Re: [jose] RSA-OAEP vs RSA-OAEP-256
Neil Madden <neil.madden@forgerock.com> Mon, 09 May 2022 07:41 UTC
Return-Path: <neil.madden@forgerock.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 601FFC159484 for <jose@ietfa.amsl.com>; Mon, 9 May 2022 00:41:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M0A-87ffxI_m for <jose@ietfa.amsl.com>; Mon, 9 May 2022 00:40:58 -0700 (PDT)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51809C14F730 for <jose@ietf.org>; Mon, 9 May 2022 00:40:58 -0700 (PDT)
Received: by mail-wr1-x436.google.com with SMTP id x18so18183322wrc.0 for <jose@ietf.org>; Mon, 09 May 2022 00:40:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=COJDJKNcyGqOUUIlw7meyflF16goQe1se3a2i5LNZXc=; b=VJIG03afWB+6hyIIYi2q0KVz0KBhhbjmwm5BSYn2FCMHt6GArt9zymZDrCFvKH7WDd 8xF2zfV/6j0BYwmEPUj/xhzNT4cPDqlvA28KceH0YJ5CtF1GxV1rUxNc6EO31CmDfczD ytelgU0FTcgDWUruUFs6HhgDZZYhFdld284Hw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=COJDJKNcyGqOUUIlw7meyflF16goQe1se3a2i5LNZXc=; b=aJ2i9WXx+gOiFfGARL7/b3dvm4Ut8+pS0AuY2KrfCYxF2JzsUKM7EVy7I17CGdvkLu TBPfSsqGWhmDSB7pn8hS4A8bz1dQ6wtbt+MA67aOOnSFJBKDciroMhD4VGgKdLEp5izw 66tYud51fCRhPyLE69lx9MAy1kTB77UH2cPRNAooQvcE3I7OoY/cND/UAaERRlo/v3FO qJiz2KHoxRnmJXf+dWVkux2/92OjYqBf/Yzv1mDcHkPdiAg34LEd1RNv+p0Lq0BLQW1g HObNmWA5jnYi0w33qX3V+3o7tje9W4aqBToVL8IXZrKDns9InzXBUhJnhFmWlYypFhpk UHzg==
X-Gm-Message-State: AOAM530dOdkOrWACQ89I/761Dsz4TZ8QMjTmIC3cLsED5w08t3TlDwzV 3rabzK5K1cD2gqMhN1TBrNZQYA==
X-Google-Smtp-Source: ABdhPJxqx4QllZflkBcRVGYoSLrjYmH2XBujXdv/E2ZSF7B2ATK8MHyav1enzBE8nQRGs5tEqDkH/Q==
X-Received: by 2002:a05:6000:168e:b0:20c:547d:11a1 with SMTP id y14-20020a056000168e00b0020c547d11a1mr12577541wrd.37.1652082056090; Mon, 09 May 2022 00:40:56 -0700 (PDT)
Received: from smtpclient.apple (181.213.93.209.dyn.plus.net. [209.93.213.181]) by smtp.gmail.com with ESMTPSA id o35-20020a05600c512300b0039454a85a9asm12790926wms.30.2022.05.09.00.40.55 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 09 May 2022 00:40:55 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-8F2E1E72-0622-4DFC-ACCF-13102B009749"
Content-Transfer-Encoding: 7bit
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Mon, 09 May 2022 08:40:54 +0100
Message-Id: <E085B827-08FF-4276-8793-97F677B8A51F@forgerock.com>
References: <CAOtGrGL6Lx=JxrKOsaAexqWEHT4CA3w8rahz9tigHGX2HmRpoA@mail.gmail.com>
Cc: jose@ietf.org
In-Reply-To: <CAOtGrGL6Lx=JxrKOsaAexqWEHT4CA3w8rahz9tigHGX2HmRpoA@mail.gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
X-Mailer: iPhone Mail (19E258)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/KCHbnOCX464GbyeQ5KrQ_jU5xBA>
Subject: Re: [jose] RSA-OAEP vs RSA-OAEP-256
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 May 2022 07:41:02 -0000
> On 6 May 2022, at 17:26, Sergey Beryozkin <sberyozkin@gmail.com> wrote: > > > Hi Everyone > > I'm contributing to a project where `RSA-OAEP` [1] is currently a default key encryption algorithm for encrypting JWT claims and we've had a request to replace it with `RSA-OAEP-256` because `SHA-1` is used in `RSA-OAEP`. > > I'd like to ask the experts, why does `RSA-OAEP` have a `Recommended+` status, while `RSA-OAEP-256` - optional, at [1] ? > > Also, while it is not a JOSE specific question, I'd appreciate some comments on whether having an 'SHA-1' element in the `RSA-OAEP` encryption process makes `RSA-OAEP` less secure or not. My basic understanding, based on some Web search results, is that `RSA-OAEP` remains a secure algorithm. It may be better to ask this question of CFRG. I am not aware of any attacks on SHA-1 in the context of MGF1 at the current time. But that may be partly because nobody is looking for them: SHA-1 has been proven insecure, do cryptographers have to publicly break every individual use of it before people stop using it? > Thanks, Sergey > > [1] https://tools.ietf.org/html/rfc7518#section-4.3%5BRSA-OAEP%5D > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose — Neil
- [jose] RSA-OAEP vs RSA-OAEP-256 Sergey Beryozkin
- Re: [jose] RSA-OAEP vs RSA-OAEP-256 Neil Madden
- Re: [jose] RSA-OAEP vs RSA-OAEP-256 Sergey Beryozkin
- Re: [jose] RSA-OAEP vs RSA-OAEP-256 Les Hazlewood