- From: Tom Gindin <tgindin@us.ibm.com>
- Date: Wed, 17 Apr 2002 10:45:48 -0400
- To: "jiandong guo" <jguo@phaos.com>
- Cc: <xml-encryption@w3.org>, <reagle@w3c.org>
I agree with your statements about PSS. But why does that require
that SHA-1 be used for OAEP? It doesn't even require that the same hash
algorithm be used for both purposes within OAEP. In particular, there is
no obvious reason why SHA-256 would not be used instead of SHA-1 for larger
RSA keys.
Looking at the way this is currently done, it would be more
consistent to create a second optional element ("ds:MGFDigest") under
RSA-OAEP with the note in the specification that if this method is omitted
it is considered as equal to ds:DigestMethod, and that if ds:DigestMethod
is omitted it is considered as equal to "SHA-1". Alternatively, we could
put maxOccurs of ds:DigestMethod as 2, with the interpretation (explicit in
the spec) that if both are present the first is the hash algorithm and the
second the MGF, if one is present it's used for both, and if neither is
present both are set to "SHA-1". I can see no reason why ds:DigestMethod
should not have a "maxOccurs" value.
Tom Gindin
"jiandong guo" <jguo@phaos.com> on 04/17/2002 01:41:23 AM
To: Tom Gindin/Watson/IBM@IBMUS
cc: <xml-encryption@w3.org>, <reagle@w3c.org>
Subject: Re: FW: Re: rsa/oaep
I believe that what we agreed before is to fix SHA-1 for using with MGF.
The reason that the same hash function is suggested to be used in
RSASSA-PSS
signature scheme is to against the weak-hash fuction substitute attack
where the attacker
could forge a new signature from the given signature by using a weak hash
function acceptable by the verifier in MGF. This attack can also be
addressed by fixing a
strong hash function (e.g. SHA-1) for use.
In any case, RSA-OAEP is an encryption scheme so this type of attack
doesn't make sense here.
Jiandong Guo
Phaos Technology
Received on Wednesday, 17 April 2002 11:40:00 UTC