Right. The point here is that the RSA-OAEP standard itself allows for parametrization of the hash function output size. While the vast majority of current implementations use SHA-1, the standard itself allows for arbitrary hash function specification. See ftp://ftp.rsasecurity.com/pub/rsalabs/rsa_algorithm/rsa-oaep_spec.pdf, section 1.3, paragraph 5.
On Wed, Aug 29, 2012 at 6:33 PM, Mike Jones <[email protected]>wrote: > Sure. s/key size/size/g in my description below. Sometimes the sizes > are for things like hash function output size, rather than key size.**** > > ** ** > > *From:* Manger, James H [mailto:[email protected]] > *Sent:* Wednesday, August 29, 2012 6:13 PM > *To:* Mike Jones > > *Cc:* [email protected] > *Subject:* RE: [jose] (REDO) POLL: RSA-OAEP/RSA-PSS default parameters**** > > ** ** > > There is no 384-bit key involved in RS384 (RSASSA-PKCS1-V1_5 with > SHA-384). It involves, say, a 2048-bit RSA key.**** > > ** ** > > When you say “key size” do you actually mean “important size”, instead of > “size of a crypto key”?**** > > ** ** > > Perhaps the hash size and hash algorithm are “more important” in an RSA > signature than in an RSA encryption padding scheme, though that is a fairly > subtle hair to be splitting when naming JOSE algorithms. We would need to > stop talking about “hash algorithms” and start talking about, say, > “collision-resistant hash algorithms” and “pseudorandom functions” if we > want to split that hair.**** > > ** ** > > --**** > > James Manger**** > > ** ** > > *From:* [email protected] [mailto:[email protected]] *On Behalf > Of *Mike Jones > *Sent:* Thursday, 30 August 2012 10:32 AM > *To:* Manger, James H; Breno de Medeiros > *Cc:* [email protected] > *Subject:* Re: [jose] (REDO) POLL: RSA-OAEP/RSA-PSS default parameters**** > > ** ** > > They’re in the first category, in which a key size is required to fully > specify the algorithm.**** > > ** ** > > *From:* [email protected] > [mailto:[email protected]<[email protected]>] > *On Behalf Of *Manger, James H > *Sent:* Wednesday, August 29, 2012 5:11 PM > *To:* Mike Jones; Breno de Medeiros > *Cc:* [email protected] > *Subject:* Re: [jose] (REDO) POLL: RSA-OAEP/RSA-PSS default parameters**** > > ** ** > > So what about RS256, RS384, and RS512?**** > > ** ** > > --**** > > James Manger**** > > ** ** > > *From:* Mike Jones [mailto:[email protected]] > *Sent:* Thursday, 30 August 2012 10:07 AM > *To:* Breno de Medeiros; Manger, James H > *Cc:* [email protected] > *Subject:* RE: [jose] (REDO) POLL: RSA-OAEP/RSA-PSS default parameters**** > > ** ** > > Where a key size is required to fully specify the algorithm, it’s included > in the name. Examples: HS256, A128GCM.**** > > Where the size isn’t required to fully specify the algorithm, it isn’t. > Examples: RSA1_5, RSA-OAEP, ECSH-ES.**** > > ** ** > > No inconsistency.**** > > ** ** > > -- Mike**** > > ** ** > > *From:* [email protected] > [mailto:[email protected]<[email protected]>] > *On Behalf Of *Breno de Medeiros > *Sent:* Wednesday, August 29, 2012 5:01 PM > *To:* Manger, James H > *Cc:* [email protected] > *Subject:* Re: [jose] (REDO) POLL: RSA-OAEP/RSA-PSS default parameters**** > > ** ** > > Concur with the analysis that 'RSA-OAEP' terminology appears inconsistent > with other acronym usage.**** > > ** ** > > On Wed, Aug 29, 2012 at 4:58 PM, Manger, James H < > [email protected]> wrote:**** > > > Should SHA1 (and mgf1SHA1) be the default parameters for these > > algorithms?**** > > We don’t have "algorithm parameters" in JOSE – that is the subject of a > separate POLL ("Support multiple types for algorithms"). JOSE currently has > algorithm labels with no parameters. > > Consequently this question is really asking one of the following: > > Q1. Should RSA OAEP with SHA-1 be defined for use with JOSE? Perhaps > additionally, should it be mandatory to implement? > The core of this question is whether SHA-1 is > cryptographically-compromised enough that we shouldn't use it in new crypto > specs, or is its widespread-availability more important than any crypto > weakness? > > Q2. Should the label "RSA-OAEP" be used for RSA OAEP with SHA-1? > > My answer to Q2 is NO. The "RSA-OAEP" label is inconsistent with other > JOSE alg names. JWA specifies "HS512", "RS512", "ES512", and "CS512" where > the Sxxx suffix indicates a hash algorithm. RSA OAEP with SHA-1 could use > "ROS1" or "ROS160". > > -- > James Manger**** > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On Behalf Of > > Karen O'Donoghue > > Sent: Thursday, 30 August 2012 7:30 AM > > To: [email protected] > > Subject: [jose] (REDO) POLL: RSA-OAEP/RSA-PSS default parameters > >**** > > > Folks, > > > > Given the confusion around the original version of this poll, I'd like > > to try again. > > > > The basic question is unchanged, the room count from Vancouver has been > > corrected, and a clarification regarding the status of SHA1 in the OAEP > > specification has been added. For those of you who voted and feel you > > may have misunderstood the question or voted incorrectly, please feel > > free to update your answer. > > > > Question: > > Should SHA1 (and mgf1SHA1) be the default parameters for these > > algorithms? > > Note: These are the default parameters specified in RFC 3447, Section > > A.2.1, and are widely deployed. > > > > Room vote: 5 yes, 0 no, 3 discuss > > > > Thanks, > > Karen > > _______________________________________________ > > jose mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/jose > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose**** > > > > **** > > ** ** > > -- > --Breno**** > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > > -- --Breno
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
