-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change JWE Algorithm from RSA-OAEP to RSA-OAEP-256 #288
Comments
@rdebusscher I think we may need a better justification as the message digest is not what in itself is determining the overall security of the RSA-OAEP encryption. There are a few references on the web like
which you can find from https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding The reason
while The same JWA specification recommends RSA keys with It will be worth asking a question on the JOSE list. I don't mind too much about |
@rdebusscher Yes, IMHO, adding |
For later major versions we can consider making |
I agree with adding a new property for the key management key algorithm. |
@rdebusscher @teddyjtorres I'll keep this issue open to discuss |
@sberyozkin thank you for the references, but some remarks
The word may suggest it is not to be excluded that a problem can arise. The RFC 7518 you linked is dated May 2015, thus before the announcement in 2017 that SHA-1 is to be considered unsafe (https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html) I don't get the reason why a new config property is needed since the JWE algorithm comes from the header of the token. |
The reason why I opened this is the following. I'm currently writing a new implementation of JWT-Auth spec and can't pass the current TCK since it is mandatory to support RSA-OAEP (the RolesAllowedSignEncryptTest TCK test makes use of it also). It will be used in an environment where RSA-OAEP-256 is used. Users are also making the remark why an 'old' algorithm is required and you can't make use of newer algorithms (RSA-OAEP-256 already dates from 2017) Since Log4Shell, people avoid anything that is associated with a potential security vulnerability (a valid one or an assumed one) |
@rdebusscher I've added a comment at #289 to explain why depending on the headers alone is not a good idea.
Can you explain why you can't pass it ? Any JOSE library supports it.
We'll add this property and your users will be able to enforce |
I appreciate it and I don't take it lightly. But we can't just dismiss We can't drop it in 2.1 anyway - recall our conversation related to RSA keys < 2048 bits - they are still supported despite them explicitly discouraged in the specs - because of your concern removing them would break a backward compatibility - I'm only referring to it because it is the same situation as far as the backward compatibility is concerned. |
@rdebusscher If the TCK issue is related to the fact that you'd like to certify |
@rdebusscher I've asked a question about |
The specification says
But RSA-OAEP uses SHA-1 which is considered unsafe. The spec (and the tests) should be updated to make use of RSA-OAEP-256 (makes use of SHA-256)
The text was updated successfully, but these errors were encountered: