Re: FW: FIPS 140-2 Inquiry Regarding XML Encryption from Bruce Rich on 2012-02-02 (public-xmlsec@w3.org from February 2012)

From: Bruce Rich <brich@us.ibm.com>
Date: Thu, 2 Feb 2012 12:16:57 -0600
To: Hal Lockhart <hal.lockhart@oracle.com>
Cc: public-xmlsec@w3.org
Message-ID: <OF4A2D1BAA.699EAE01-ON86257998.006392C9-86257998.00647163@us.ibm.com>
That's a little odd, in that SHA-1 only has 80 bits of strength (half of 
the output length), according to NIST SP 800-131a ("The SHA-1 hash 
function has at most 80 bits of security against collision attacks."), of 
which Elaine is one of the authors.  So using RSA-OAEP with a 2048-bit 
key, but not requiring the MGF to use SHA224 or greater, still feels 
wrong.  But maybe we've now gone from requirements into best practice.

Bruce A Rich
brich at-sign us dot ibm dot com




From:   Hal Lockhart <hal.lockhart@oracle.com>
To:     public-xmlsec@w3.org
Date:   02/02/2012 10:09 AM
Subject:        FW: FIPS 140-2 Inquiry Regarding XML Encryption



I received this response from Elaine Barker of NIST.
 
Hal
 
-----Original Message-----
From: Barker, Elaine B. [mailto:elaine.barker@nist.gov]
Sent: Thursday, February 02, 2012 8:41 AM
To: Hal Lockhart
Subject: Re: FIPS 140-2 Inquiry Regarding XML Encryption

We would like people to stop using it for the generation of digital 
signatures at the end of 2013; it can continue to verify already-generated 
signatures after that. It’s OK for uses  that don’t require a security 
strength greater than it’s output length . For example, it will be OK to 
use with RSA-OAEP with keys that provide 112 bits of security strength 
(i.e., 2048-bit RSA keys).

Elaine


On 2/1/12 11:25 AM, "Hal Lockhart" <hal.lockhart@oracle.com> wrote:

Ms Barker,

I have been trying through various contacts to get an answer to the 
question below on behalf of the W3C XML Security Working Group. I saw a 
recent announcement you posted about SP 800-67, so I am hoping that you 
might be able to direct this question to someone who can answer it.

Note that the question is not really XML-specific. In brief the question 
is: NIST has told us to stop using SHA-1 after 2010, but does that include 
the use of SHA-1 in RSA-OAEP? There is some wording in SP 800-56B which 
could be read to say there is a specific exception in this case.

Thanks in advance,

Hal Lockhart



-----Original  Message-----
From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com]
Sent:  Sunday, December 04, 2011 6:09 PM
To: public-xmlsec@w3.org
Cc: Frederick.Hirsch@nokia.com; Jeff.Krug@gtri.gatech.edu
Subject:  Fwd: FIPS 140-2 Inquiry Regarding XML Encryption

resend to public xml security  working group list. 

 



 

From your comment Jeff it looks  like it is good that we now allow various 
MGSF  variants. 

 



 

The original MGF variant whose URL  you note uses SHA1. Do you have any 
specific comment on the concerns related  to FIPS?

 



 

THanks

 



 
 
 
 

regards,  Frederick

 



 

Frederick  Hirsch

 

Nokia

 





 



 

Begin forwarded  message:



 

Resent-From:  <public-xmlsec-comments@w3.org>

 

From:  "ext Krug,  Jeff" <Jeff.Krug@gtri.gatech.edu>

 

Date:  December 2,  2011 12:49:52 AM EST

 

To:  "public-xmlsec-comments@w3.org"  <public-xmlsec-comments@w3.org>

 

Subject: FIPS  140-2 Inquiry Regarding XML Encryption



 
 
 

GTRI  is trying to ascertain authoritatively whether the use of RSA-OAEP 
for key  transport within XML encryption is considered FIPS 140-2 
compliant. FIPS PUB  140-2 Annex D specifies that the key transport 
algorithms from NIST SP 800-56B  are acceptable key establishment 
techniques. NIST SP 800-56B specifies  RSA-OAEP is acceptable.  What seems 
to confuse the issue is that Annex A  limits what is acceptable from from 
RSA's PKCS v2.1 standard.   Additionally there is a great deal of FIPS 
documentation pushing for the use  of SHA2 or better (although it's not 
clear if that push impacts key transport  the same way it impacts digital 
signatures).  These variations are  making it hard to determine if the key 
transport mechanism (http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) 
described  in section 5.4.2 ofhttp://www.w3.org/TR/xmlenc-core/ would be 
considered FIPS  compliant.

 



 

I  noticed in the latest draft of the standard, the mask generating 
function may  be changed from mgf1sha1 to use SHA2s, but I'm primarily 
interested in the  specific implementation defined in 2002. 

 



 

Thanks,
Jeff
Received on Thursday, 2 February 2012 18:22:53 UTC