W3C home > Mailing lists > Public > public-xmlsec@w3.org > June 2011

OAEP/SHA-1 issue

From: Cantor, Scott E. <cantor.2@osu.edu>
Date: Tue, 28 Jun 2011 15:04:51 +0000
To: "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Message-ID: <CA2F65D2.CD37%cantor.2@osu.edu>
The issue I was describing on the call is that the specification of
RSA-OAEP key transport in XML Encryption (1.0 or 1.1) is dependent on
SHA-1 in two respects:

- the padding digest, which is allowed to be anything
- the mask generation function, which OAEP allows to be anything (see RFC
3560), but XML Enc says has to use SHA-1

In parallel, I've noted that the Apache implementations (both Java and
C++) actually didn't allow for anything but SHA-1 in the padding. It is
unclear whether that's mandatory to handle or not, but they didn't.

OpenSSL also does not handle this in its OAEP routines. I asked about it,
no response. I patched the Apache C++ implementation to handle SHA-2 in
the padding step, by copying some code from OpenSSL. It's an open bug on
the Java side, and will require API changes to handle.

I don't know about other implementations.

I believe that the weakening of SHA-1 doesn't actually affect its use in
OAEP, but my concern was raised both because it's an interop issue (the
spec allows for SHA-2, but support was spotty), and because I anticipate
the possibility that people might ask for implementations that block all
use of SHA-1 just to avoid having to worry about where it might get used.

At minimum, seems like we need to consider whether to mandate something
else in the spec, and whether to look at the MGF part.

-- Scott
Received on Tuesday, 28 June 2011 15:05:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 28 June 2011 15:05:27 GMT