Re: FW: Re: rsa/oaep from Jiandong Guo on 2002-04-17 (xml-encryption@w3.org from April 2002)

From: Jiandong Guo <jguo@phaos.com>
Date: Wed, 17 Apr 2002 18:07:07 -0400
To: Tom Gindin <tgindin@us.ibm.com>
CC: xml-encryption@w3.org, reagle@w3c.org
Message-ID: <3CBDF20B.C2680F56@phaos.com>

Three parameters needed for RSA-OAEP: hash function, Mask Generation Function,
encoding parameters.
The current state of the XML Encryption specification is that the hash
function  is read from the ds:DigestMethod
element (this could be SHA1, SHA256, SHA512) and the Mask Generation Function
is fixed to be MGF1WithSHA1.
By definition a Mask Generation Function doesn't necessarily rely on a hash
fuction (although the particular function MGF1 does).
If we want to be general we should have an optional element MGF to specify the
the
Mask Generation Function to be used. But this does not sound practical. I think
it is reasonable to
fix the Mask Generation Function to be the default one (MGF1WithSHA1) as
specified in the PKCS1 v2.0.

Jiandong Guo
Phaos Technology


Tom Gindin wrote:

>       I agree with your statements about PSS.  But why does that require
> that SHA-1 be used for OAEP?  It doesn't even require that the same hash
> algorithm be used for both purposes within OAEP.  In particular, there is
> no obvious reason why SHA-256 would not be used instead of SHA-1 for larger
> RSA keys.
>       Looking at the way this is currently done, it would be more
> consistent to create a second optional element ("ds:MGFDigest") under
> RSA-OAEP with the note in the specification that if this method is omitted
> it is considered as equal to ds:DigestMethod, and that if ds:DigestMethod
> is omitted it is considered as equal to "SHA-1".  Alternatively, we could
> put maxOccurs of ds:DigestMethod as 2, with the interpretation (explicit in
> the spec) that if both are present the first is the hash algorithm and the
> second the MGF, if one is present it's used for both, and if neither is
> present both are set to "SHA-1".  I can see no reason why ds:DigestMethod
> should not have a "maxOccurs" value.
>
>             Tom Gindin
>
> "jiandong guo" <jguo@phaos.com> on 04/17/2002 01:41:23 AM
>
> To:    Tom Gindin/Watson/IBM@IBMUS
> cc:    <xml-encryption@w3.org>, <reagle@w3c.org>
> Subject:    Re: FW: Re: rsa/oaep
>
> I believe that what we agreed before is to fix SHA-1 for using with MGF.
>
> The reason that the same hash function is suggested to be used in
> RSASSA-PSS
> signature scheme is to against the weak-hash fuction substitute attack
> where the attacker
> could forge a new signature from the given signature by using a weak hash
> function acceptable by the verifier in MGF. This attack can also be
> addressed by fixing a
> strong hash function (e.g. SHA-1) for use.
>
> In any case, RSA-OAEP is an encryption scheme so this type of attack
> doesn't make sense here.
>
> Jiandong Guo
> Phaos Technology

Received on Wednesday, 17 April 2002 18:06:18 UTC