- From: Cantor, Scott E. <cantor.2@osu.edu>
- Date: Tue, 28 Jun 2011 15:04:51 +0000
- To: "public-xmlsec@w3.org" <public-xmlsec@w3.org>
The issue I was describing on the call is that the specification of RSA-OAEP key transport in XML Encryption (1.0 or 1.1) is dependent on SHA-1 in two respects: - the padding digest, which is allowed to be anything - the mask generation function, which OAEP allows to be anything (see RFC 3560), but XML Enc says has to use SHA-1 In parallel, I've noted that the Apache implementations (both Java and C++) actually didn't allow for anything but SHA-1 in the padding. It is unclear whether that's mandatory to handle or not, but they didn't. OpenSSL also does not handle this in its OAEP routines. I asked about it, no response. I patched the Apache C++ implementation to handle SHA-2 in the padding step, by copying some code from OpenSSL. It's an open bug on the Java side, and will require API changes to handle. I don't know about other implementations. I believe that the weakening of SHA-1 doesn't actually affect its use in OAEP, but my concern was raised both because it's an interop issue (the spec allows for SHA-2, but support was spotty), and because I anticipate the possibility that people might ask for implementations that block all use of SHA-1 just to avoid having to worry about where it might get used. At minimum, seems like we need to consider whether to mandate something else in the spec, and whether to look at the MGF part. -- Scott
Received on Tuesday, 28 June 2011 15:05:26 UTC