FW: FIPS 140-2 Inquiry Regarding XML Encryption

Re: FIPS 140-2 Inquiry Regarding XML EncryptionI received this response from Elaine Barker of NIST.

Hal

-----Original Message-----
From: Barker, Elaine B. [mailto:elaine.barker@nist.gov]
Sent: Thursday, February 02, 2012 8:41 AM
To: Hal Lockhart
Subject: Re: FIPS 140-2 Inquiry Regarding XML Encryption


We would like people to stop using it for the generation of digital signatures at the end of 2013; it can continue to verify already-generated signatures after that. It’s OK for uses  that don’t require a security strength greater than it’s output length . For example, it will be OK to use with RSA-OAEP with keys that provide 112 bits of security strength (i.e., 2048-bit RSA keys).

Elaine


On 2/1/12 11:25 AM, "Hal Lockhart" <hal.lockhart@oracle.com> wrote:


  Ms Barker,

  I have been trying through various contacts to get an answer to the question below on behalf of the W3C XML Security Working Group. I saw a recent announcement you posted about SP 800-67, so I am hoping that you might be able to direct this question to someone who can answer it.

  Note that the question is not really XML-specific. In brief the question is: NIST has told us to stop using SHA-1 after 2010, but does that include the use of SHA-1 in RSA-OAEP? There is some wording in SP 800-56B which could be read to say there is a specific exception in this case.

  Thanks in advance,

  Hal Lockhart




    -----Original  Message-----
    From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com]
    Sent:  Sunday, December 04, 2011 6:09 PM
    To: public-xmlsec@w3.org
    Cc: Frederick.Hirsch@nokia.com; Jeff.Krug@gtri.gatech.edu
    Subject:  Fwd: FIPS 140-2 Inquiry Regarding XML Encryption

    resend to public xml security  working group list. 

     



     

    From your comment Jeff it looks  like it is good that we now allow various MGSF  variants. 

     



     

    The original MGF variant whose URL  you note uses SHA1. Do you have any specific comment on the concerns related  to FIPS?

     



     

    THanks

     



     
     
     
     

    regards,  Frederick

     



     

    Frederick  Hirsch

     

    Nokia

     





     



     

    Begin forwarded  message:



     

    Resent-From:  <public-xmlsec-comments@w3.org>

     

    From:  "ext Krug,  Jeff" <Jeff.Krug@gtri.gatech.edu>

     

    Date:  December 2,  2011 12:49:52 AM EST

     

    To:  "public-xmlsec-comments@w3.org"  <public-xmlsec-comments@w3.org>

     

    Subject: FIPS  140-2 Inquiry Regarding XML Encryption



     
     
     

    GTRI  is trying to ascertain authoritatively whether the use of RSA-OAEP for key  transport within XML encryption is considered FIPS 140-2 compliant. FIPS PUB  140-2 Annex D specifies that the key transport algorithms from NIST SP 800-56B  are acceptable key establishment techniques. NIST SP 800-56B specifies  RSA-OAEP is acceptable.  What seems to confuse the issue is that Annex A  limits what is acceptable from from RSA's PKCS v2.1 standard.   Additionally there is a great deal of FIPS documentation pushing for the use  of SHA2 or better (although it's not clear if that push impacts key transport  the same way it impacts digital signatures).  These variations are  making it hard to determine if the key transport mechanism (http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) described  in section 5.4.2 ofhttp://www.w3.org/TR/xmlenc-core/ would be considered FIPS  compliant.

     



     

    I  noticed in the latest draft of the standard, the mask generating function may  be changed from mgf1sha1 to use SHA2s, but I'm primarily interested in the  specific implementation defined in 2002. 

     



     

    Thanks,
    Jeff

     

Received on Thursday, 2 February 2012 16:07:35 UTC