RE: Algorithm Selections

1. S/MIME is using RSA-v1.5 and Triple DES as the current manditory set for
RSA.  At the last IETF working group meeting there was a large discussion
about changing the manditory algorithms for S/MIME proper.  The final
discesion was to move from ES-DH/Triple DES to RSA-v1.5/Triple DES because
this closer matched the current set of implemented and working code (only a
couple of vendors have ES-DH working) and the RSA patent was no longer an
issue.  The fact that the AES algorithm had not been chosen yet was part of
the reason for saying with Triple DES.  The fact that everyone had already
implemented and was uing RSA-V1.5 rather than RSA-v2.0 was the reason for
saying with that.

Thre recommondation is just to keep things consistant with S/MIME if we
decide to use Triple DES.  In the final stages I think that AES/RSA-v2.0
should be the required algorithm and we might drop Triple DES entirely.

2. I keep fliping the letters.  The correct string is RSA-OAEP not RSA-OEAP.
One of these days either the entire world will match my spelling or I'll
learn the correct spelling.  RSA-OAEP is however the RSA-v2.0 standard.

-----Original Message-----
From: Joseph M. Reagle Jr. []
Posted At: Wednesday, November 15, 2000 11:40 AM
Posted To: XML-Encryption
Conversation: Algorithm Selections
Subject: Re: Algorithm Selections

At 00:31 11/15/2000 -0800, Jim Schaad wrote:
>As promised at the XML Encryption workshop, here is a description of the
>different types of algorithms along with what I would recommend for the
>different levels of support.

Thanks! I agree with all of your recommendations, but I have a question on
Key Transport.

>Key Transport Algorithms:
>RSA-v1.5 - This is the standard RSA algorithm used in CMS today.  It has
>the benifit of being widely used and the downside that there is a known
>attack againist it.
>RSA-OEAP - This is the revised RSA algorithm for doing key transport.  The
>same RSA public/private key pair can be used for both RSA-v1.5 and RSA-OEAP
>so there is no need to choose just one of these variants.
>Recommendation:  RSA-OEAP should be used with AES.  RSA-v1.5 should be used
>with TripleDES.

I note this is not mandatory, which I think I'm please with but I wanted to
chase the references and ended up getting confused. I found [1] for
"RSAES-OA(?EP?) in CMS" and it refers to [2], but RFC2347 is actually TFTP
Option Extension (Russ should switch the 3&4 to RFC2437 [3]). So:
1. What standard exactly is meant by RSA-OEAP? PKCS#1v2.0, it's CMS syntax,
or would we have to come up with our own XML based version?
2. Why do you recommend RSA-v1.5 with TripleDES?

[1] S/MIME Working Group R. Housley Internet Draft SPYRUS expires in six
months June 2000 Use of the RSAES-OAEP Key Transport Algorithm in CMS
[2] PKCS#1v2.0 Kaliski, B. PKCS #1: RSA Encryption, Version 2.0. RFC 2347.
October 1998.

Joseph Reagle Jr.
W3C Policy Analyst      
IETF/W3C XML-Signature Co-Chair

Received on Wednesday, 15 November 2000 17:00:57 UTC