Re: FW: Re: rsa/oaep from Donald Eastlake 3rd on 2002-04-25 (xml-encryption@w3.org from April 2002)

From: Donald Eastlake 3rd <dee3@torque.pothole.com>
Date: Thu, 25 Apr 2002 00:43:13 -0400 (EDT)
To: xml-encryption@w3.org
Message-ID: <Pine.LNX.4.44.0204250013050.28918-100000@netbusters.com>

The is desireable for the order of algorithm parameter elements to be
insignificant. That's why AgreementMethod has RecipientKeyInfo and
OriginatKeyInfo. I thought it said this

Donald
======================================================================
 Donald E. Eastlake 3rd                       dee3@torque.pothole.com
 155 Beaver Street              +1-508-634-2066(h) +1-508-851-8280(w)
 Milford, MA 01757 USA                   Donald.Eastlake@motorola.com

On Wed, 17 Apr 2002, Tom Gindin wrote:

> Date: Wed, 17 Apr 2002 10:45:48 -0400
> From: Tom Gindin <tgindin@us.ibm.com>
> To: jiandong guo <jguo@phaos.com>
> Cc: xml-encryption@w3.org, reagle@w3c.org
> Subject: Re: FW: Re: rsa/oaep
> Resent-Date: Wed, 17 Apr 2002 11:40:34 -0400 (EDT)
> Resent-From: xml-encryption@w3.org
>
>
>       I agree with your statements about PSS.  But why does that require
> that SHA-1 be used for OAEP?  It doesn't even require that the same hash
> algorithm be used for both purposes within OAEP.  In particular, there is
> no obvious reason why SHA-256 would not be used instead of SHA-1 for larger
> RSA keys.
>       Looking at the way this is currently done, it would be more
> consistent to create a second optional element ("ds:MGFDigest") under
> RSA-OAEP with the note in the specification that if this method is omitted
> it is considered as equal to ds:DigestMethod, and that if ds:DigestMethod
> is omitted it is considered as equal to "SHA-1".  Alternatively, we could
> put maxOccurs of ds:DigestMethod as 2, with the interpretation (explicit in
> the spec) that if both are present the first is the hash algorithm and the
> second the MGF, if one is present it's used for both, and if neither is
> present both are set to "SHA-1".  I can see no reason why ds:DigestMethod
> should not have a "maxOccurs" value.
>
>             Tom Gindin
>
>
> "jiandong guo" <jguo@phaos.com> on 04/17/2002 01:41:23 AM
>
> To:    Tom Gindin/Watson/IBM@IBMUS
> cc:    <xml-encryption@w3.org>, <reagle@w3c.org>
> Subject:    Re: FW: Re: rsa/oaep
>
>
> I believe that what we agreed before is to fix SHA-1 for using with MGF.
>
> The reason that the same hash function is suggested to be used in
> RSASSA-PSS
> signature scheme is to against the weak-hash fuction substitute attack
> where the attacker
> could forge a new signature from the given signature by using a weak hash
> function acceptable by the verifier in MGF. This attack can also be
> addressed by fixing a
> strong hash function (e.g. SHA-1) for use.
>
> In any case, RSA-OAEP is an encryption scheme so this type of attack
> doesn't make sense here.
>
> Jiandong Guo
> Phaos Technology
>
>
>
>

Received on Thursday, 25 April 2002 00:43:14 UTC