W3C home > Mailing lists > Public > public-webcrypto@w3.org > May 2014

[Bug 25741] New: RSA-OAEP is under-specified when the parameters define an operation not supported by the key size

From: <bugzilla@jessica.w3.org>
Date: Fri, 16 May 2014 18:45:23 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25741-7213@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25741

            Bug ID: 25741
           Summary: RSA-OAEP is under-specified when the parameters define
                    an operation not supported by the key size
           Product: Web Cryptography
           Version: unspecified
          Hardware: PC
                OS: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: sleevi@google.com
                CC: public-webcrypto@w3.org

With RSA-OAEP, the maximum message size is equivalent to:

modulus length - 1 (leading 0x00 octet) - hash size (masked seed) - hash size
(lHash portion of the maskedDB) - 1 (at least one octet for the padding string,
equal to 0x01)

The result of this is that it's possible to specify a set of parameters during
an operation that are not supportable by the key.

For example, using a 1024-bit key with SHA-512 as the hash algorithm is not
possible, because the minimum size of an OAEP encoded message is 1040 bits.

The question is whether this should be presented as a DataError (implying
implementations may need to do validation prior to the underlying
implementation) or left as an OperationError.

The spec is unclear on this. In the case of AES-KW, for example, a DataError is
raised if plaintext is not a multiple of 64 bits. With RSA-ES, however, which
also has a maximum message size (modulus length - 11), no spec-specific
behaviour is defined, therefore an OperationError is expected.

At least one user agent (Chrome) implemented behaviour that treated RSA-ES
message failures as a DataError, assuming the AES-KW behaviour, so the spec
should be explicit either way for interoperability.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Received on Friday, 16 May 2014 18:45:26 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:22 UTC