Re: FW: Re: rsa/oaep from Donald Eastlake 3rd on 2002-04-25 (xml-encryption@w3.org from April 2002)

From: Donald Eastlake 3rd <dee3@torque.pothole.com>
Date: Thu, 25 Apr 2002 00:54:47 -0400 (EDT)
To: xml-encryption@w3.org
Message-ID: <Pine.LNX.4.44.0204250025580.28918-100000@netbusters.com>

I agree with Jiandong. The hash function that happens to be used in
conjunction with the Mask Generator Function MGF1 has almost nothing to
do with the hash function used at the top level in OAEP. I think it's
reasonable to use SHA-1 in the MGF even if you are using SHA-256 with
OAEP, just like it is reasonable to use a 64 bit MAC even when you are
encrypting with AES-256.

As stated in my previous message, I think the current URI has always
meant and should continue to mean Option 1 and when and if we need it we
can specify a new OAEP URI with more options. And for all those who have
not quite gotten it, despite Jiandong's repeated explanations, This new
URI would take three algorithmic parameters, the OAEP hash and the Mask
Generator Fucntion and the algorithms which returns the "encoding
parameters" (See RFC 2437). For those who choose to use the current
MGF1, MGF1 in turn takes one algorithmic parameter, a hash function.

So you might have something like

<EncryptionMethod algorithm="http://...RSA-OAEP2">
  <OAEPparamsMethod algorithm="..."> ... </OAEPparamsMethod>
  <ds:DigestMethod algorithm="http://..." />
  <OAEPmaskgenerationMethod algorithm="http://...mgf1>
     <ds:DigestMethod algorithm="http://..." />
  </OAEPmaskgenerationMethod>
</EncryptionMethod>

and if the hypothetical OAEPmaskgenerationMethod was mgfX it might have
zero or one or any number of any type of parameters, depending on what
was appropriate for mgfX.

Donald
======================================================================
 Donald E. Eastlake 3rd                       dee3@torque.pothole.com
 155 Beaver Street              +1-508-634-2066(h) +1-508-851-8280(w)
 Milford, MA 01757 USA                   Donald.Eastlake@motorola.com

On Thu, 18 Apr 2002, Jiandong Guo wrote:

> Date: Thu, 18 Apr 2002 16:41:52 -0400
> From: Jiandong Guo <jguo@phaos.com>
> To: reagle@w3.org
> Cc: xml-encryption@w3.org
> Subject: Re: FW: Re: rsa/oaep
> Resent-Date: Thu, 18 Apr 2002 16:41:19 -0400 (EDT)
> Resent-From: xml-encryption@w3.org
>
>
>
> Joseph Reagle wrote:
>
> >
> >
> > Otherwise, it looks like we have a couple of options:
> >
> > 1. (the present scheme): the hash is user specified; mgf is SHA-1.
> > 2. the hash and mgf is user specified and they are always the same.
> > 3. the hash and mgf are independently user specified.
> >
>
> Option 2 looks odd to me. First of all we DEFAULT our Mask Generation Function
> to MGF1
> (Mask Generation Function does not necessarily rely on a hash function. There
> could
> be a MGF2 based, say, on AES) and then we mix up the hash function and the hash
>
> function for MGF1 in our syntax and rely on text explanation to make things
> clear.
>
> If we want to support new things, we should think carefully how to get the
> syntax clear
> and extensible. Simply give a new interpretation of the existing syntax doesn't
> sound a good practice
> to me. By the way, MGF1 is not a hash function. A hash function is used in the
> process
> of MGF1.
>
> Jiandong
>
>

Received on Thursday, 25 April 2002 00:54:48 UTC