- From: Hal Lockhart <hal.lockhart@oracle.com>
- Date: Thu, 2 Feb 2012 10:32:29 -0800 (PST)
- To: Bruce Rich <brich@us.ibm.com>
- Cc: public-xmlsec@w3.org
- Message-ID: <ff68adbd-b5f9-435c-82ad-3bbe5f16b105@default>
Well the purpose of the hash in OAEP is somewhat different, but to me the real surprise is the first part of her statement. Apparently "not after 2010" has turned into "not after 2013". I can only speculate that there has been a lot of pushback from Federal agencies. Anyway, the question asked was about NIST policy and compliance with FIPS 140-2 and that is the question which was answered. As usual everybody has to do their own risk analysis. Hal -----Original Message----- From: Bruce Rich [mailto:brich@us.ibm.com] Sent: Thursday, February 02, 2012 1:17 PM To: Hal Lockhart Cc: public-xmlsec@w3.org Subject: Re: FW: FIPS 140-2 Inquiry Regarding XML Encryption That's a little odd, in that SHA-1 only has 80 bits of strength (half of the output length), according to NIST SP 800-131a ("The SHA-1 hash function has at most 80 bits of security against collision attacks."), of which Elaine is one of the authors. So using RSA-OAEP with a 2048-bit key, but not requiring the MGF to use SHA224 or greater, still feels wrong. But maybe we've now gone from requirements into best practice. Bruce A Rich brich at-sign us dot ibm dot com From: Hal Lockhart <hal.lockhart@oracle.com> To: public-xmlsec@w3.org Date: 02/02/2012 10:09 AM Subject: FW: FIPS 140-2 Inquiry Regarding XML Encryption ------------------------------------------------------------------------------ I received this response from Elaine Barker of NIST. Hal -----Original Message----- From: Barker, Elaine B. [mailto:elaine.barker@nist.gov] Sent: Thursday, February 02, 2012 8:41 AM To: Hal Lockhart Subject: Re: FIPS 140-2 Inquiry Regarding XML Encryption We would like people to stop using it for the generation of digital signatures at the end of 2013; it can continue to verify already-generated signatures after that. It’s OK for uses that don’t require a security strength greater than it’s output length . For example, it will be OK to use with RSA-OAEP with keys that provide 112 bits of security strength (i.e., 2048-bit RSA keys). Elaine On 2/1/12 11:25 AM, "Hal Lockhart" <hal.lockhart@oracle.com> wrote: Ms Barker, I have been trying through various contacts to get an answer to the question below on behalf of the W3C XML Security Working Group. I saw a recent announcement you posted about SP 800-67, so I am hoping that you might be able to direct this question to someone who can answer it. Note that the question is not really XML-specific. In brief the question is: NIST has told us to stop using SHA-1 after 2010, but does that include the use of SHA-1 in RSA-OAEP? There is some wording in SP 800-56B which could be read to say there is a specific exception in this case. Thanks in advance, Hal Lockhart -----Original Message----- From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com] Sent: Sunday, December 04, 2011 6:09 PM To: public-xmlsec@w3.org Cc: Frederick.Hirsch@nokia.com; Jeff.Krug@gtri.gatech.edu Subject: Fwd: FIPS 140-2 Inquiry Regarding XML Encryption resend to public xml security working group list. From your comment Jeff it looks like it is good that we now allow various MGSF variants. The original MGF variant whose URL you note uses SHA1. Do you have any specific comment on the concerns related to FIPS? THanks regards, Frederick Frederick Hirsch Nokia Begin forwarded message: Resent-From: <public-xmlsec-comments@w3.org> From: "ext Krug, Jeff" <Jeff.Krug@gtri.gatech.edu> Date: December 2, 2011 12:49:52 AM EST To: "public-xmlsec-comments@w3.org" <public-xmlsec-comments@w3.org> Subject: FIPS 140-2 Inquiry Regarding XML Encryption GTRI is trying to ascertain authoritatively whether the use of RSA-OAEP for key transport within XML encryption is considered FIPS 140-2 compliant. FIPS PUB 140-2 Annex D specifies that the key transport algorithms from NIST SP 800-56B are acceptable key establishment techniques. NIST SP 800-56B specifies RSA-OAEP is acceptable. What seems to confuse the issue is that Annex A limits what is acceptable from from RSA's PKCS v2.1 standard. Additionally there is a great deal of FIPS documentation pushing for the use of SHA2 or better (although it's not clear if that push impacts key transport the same way it impacts digital signatures). These variations are making it hard to determine if the key transport mechanism (http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) described in section 5.4.2 ofhttp://www.w3.org/TR/xmlenc-core/ would be considered FIPS compliant. I noticed in the latest draft of the standard, the mask generating function may be changed from mgf1sha1 to use SHA2s, but I'm primarily interested in the specific implementation defined in 2002. Thanks, Jeff
Received on Thursday, 2 February 2012 18:33:50 UTC