Re: RSA // OAEP // SHA-1
Would it make sense to amend that to add SHA-3? --Avi On 1/30/13, Michel Messerschmidt wrote: > On Tue, Jan 29, 2013 at 06:36:25PM -0600, John Clizbe wrote: >> ved...@nym.hush.com wrote: >> > if so, would this fall under the open-pgp RFC, or would it have to go >> > through an >> > RSA standard first? >> >> RFC 4880 makes no mention of OAEP. RFC 4880 references RFC 3447 for >> details of >> RSA implementation. >> >> So, from what I can tell, RSA standard first, then OpenPGP by >> incorporating >> the new RSA standard. THEN, Gnupg. > > Although it is the default, RFC 3447 is not restricted to SHA-1. > Appendix B actually states: > "For the RSAES-OAEP encryption scheme and EMSA-PSS encoding method, > only SHA-1 and SHA-256/384/512 are recommended." > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Sent from my mobile device User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: RSA // OAEP // SHA-1
On Wednesday, January 30, 2013 at 3:28 PM, "Michel Messerschmidt" wrote: > >Although it is the default, RFC 3447 is not restricted to SHA-1. >Appendix B actually states: >"For the RSAES-OAEP encryption scheme and EMSA-PSS encoding >method, >only SHA-1 and SHA-256/384/512 are recommended." Which would mean that GnuPG wouldn't need any overhaul of standards to move from a default of SHA-1 to SHA-256, (although it might involve making changes to the crypto library that GnuPG uses for RSA). After thinking about it some more, though, it doesn't seem like much of a threat to continue SHA-1, (or at least, less important for GnuPG to concern itself, than with the SHA-1 involved in the fingerprint.) GnuPg uses RSA padding only to encrypt and decrypt the random session key. All other encryption is done by symmetric algorithms and doesn't involve RSA and its padding. As the session key is random, it isn't vulnerable to a plain-text attack, and might not need any padding at all, and so, the hash function used for the padding isn't such an issue... Sorry to take up the time needlessly. vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: RSA // OAEP // SHA-1
On Tue, Jan 29, 2013 at 06:36:25PM -0600, John Clizbe wrote: > ved...@nym.hush.com wrote: > > if so, would this fall under the open-pgp RFC, or would it have to go > > through an > > RSA standard first? > > RFC 4880 makes no mention of OAEP. RFC 4880 references RFC 3447 for details of > RSA implementation. > > So, from what I can tell, RSA standard first, then OpenPGP by incorporating > the new RSA standard. THEN, Gnupg. Although it is the default, RFC 3447 is not restricted to SHA-1. Appendix B actually states: "For the RSAES-OAEP encryption scheme and EMSA-PSS encoding method, only SHA-1 and SHA-256/384/512 are recommended." ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: RSA // OAEP // SHA-1
ved...@nym.hush.com wrote: > As the padding scheme in RSA, (OAEP) uses SHA-1, then , *eventually*, as > people move away from using SHA-1, and toward a V5 key where SHA-1 is not > used, > will it also be necessary to re-do the RSA padding to not use SHA-1, and > if so, would this fall under the open-pgp RFC, or would it have to go through > an > RSA standard first? This is probably more on topic for the IETF-OpenPGP list, but anyway... RFC 4880 makes no mention of OAEP. RFC 4880 references RFC 3447 for details of RSA implementation. So, from what I can tell, RSA standard first, then OpenPGP by incorporating the new RSA standard. THEN, Gnupg. [RFC4880] J. Callas, L. Donnerhacke, H. Finney, D. Shaw, R. Thayer. "OpenPGP Message Format", RFC 4880, November 2007. https://tools.ietf.org/html/rfc4880 [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC 3447, February 2003. https://tools.ietf.org/html/rfc3447 -- John P. Clizbe Inet: John (a) Gingerbear DAWT net SKS/Enigmail/PGP-EKP or: John ( @ ) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RSA // OAEP // SHA-1
As the padding scheme in RSA, (OAEP) uses SHA-1, then , *eventually*, as people move away from using SHA-1, and toward a V5 key where SHA-1 is not used, will it also be necessary to re-do the RSA padding to not use SHA-1, and if so, would this fall under the open-pgp RFC, or would it have to go through an RSA standard first? just curious, vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users