Re: Parameters and Algorithms.

The FIPS cites ANSI X9.31, which is a subset of the ISO 9796-2
version of RSA.  Padding and hash algorithm ID are in the signature
block, but it's different from PKCS #1.  I believe there will be an
18 month grace period to convert from PKCS #1 to X9.31.  It
is also likely X9.31 will be reopened to add support for Bellare
and Rogaway's PSS scheme, which is a probabilistic scheme
that seems not to be vulnerable to the recent attacks by Naccache
et al on various fixed-format versions of RSA (9796-1 and so forth;
see Crypto 99 proceedings for details).

Regards,
Rich

-----Original Message-----
From: Jim Schaad (Exchange) <jimsch@EXCHANGE.MICROSOFT.com>
To: 'Eric Rescorla' <ekr@rtfm.com>
Cc: W3c-Ietf-Xmldsig (E-mail) <w3c-ietf-xmldsig@w3.org>
Date: Thursday, October 14, 1999 7:42 PM
Subject: RE: Parameters and Algorithms. 


>
>
>> -----Original Message-----
>> From: Eric Rescorla [mailto:ekr@rtfm.com]
>> Sent: Thursday, October 14, 1999 3:01 PM
>> To: Jim Schaad (Exchange)
>> Cc: W3c-Ietf-Xmldsig (E-mail)
>> Subject: Re: Parameters and Algorithms. 
>> 
>> 
>> > OK -- lets put this argument on hold for a while and look 
>> at the original
>> > proprosal again.
>> > 
>> > 1.  If we put the statment in the draft that the only HashAlgorithm
>> > parameter that can be specified with DSA is SHA-1 we can 
>> make a future
>> > modification to the following statement.
>> > When DSA is specified, if |q| == 160, the HashAlgorithm 
>> MUST be specfied as
>> > SHA-1.  If |q| == 320, the HashAlgorithm MUST be specfied 
>> as AES-HASH.  This
>> > allows for future flexability if needed and specfies both 
>> DSA and SHA1 must
>> > be used today.
>> This is provisionally fine with me. I'd like to get a cryptographer's
>> opinion about DSA with |q|!=160, however. I'm not mathematician enough
>> to know that it's strong. 
>> 
>> > 2.  With regards to the RSA parameters, it would appear 
>> that the ONLY thing
>> > you are arguing againist is really the new padding algorithm that I
>> > suggested not the parameterization.  I am sure that you 
>> would allow the
>> > P1363 padding algorithm. (I have not verified it includes 
>> the hash name, but
>> > I assume it does.)  The fact that I am factorizing out the 
>> presentation
>> > should not be an issue with you.  Is this correct?
>> Mostly no. 
>> 
>> However, I'd like to see us come down on only a few different
>> padding algorithms. Is there any reason to support anything other
>> than PKCS-1v1.5 and some OAEP variant? 
>
>There appears to be an issue with FIPS for US Government.  I believe they
>are adopting a different padding standard than either PKCS-1v1.5 or
>PKCS-1v2.0 (an OAEP variant).
>
>> 
>> -Ekr
>> 
>jim 
>

Received on Thursday, 14 October 1999 20:39:11 UTC