One of the persistent pieces of feedback about OpenPGP I've received
from folks involved in the security and cryptography fields is that the
PKCS v1.5 algorithms are obsolete. It is well known that many
cryptographic libraries have suffered (and will likely continue, despite
their best efforts, to suffer) from padding vulnerabilities. TLS has
recently added support for RSA-PSS and it's widely preferred over
PKCS1-v1.5.
I'm interested in seeing if we can require v5 SKESK packets with RSA use
RSA-OAEP with SHA-256 and MGF1-SHA-256 and require that v5 signatures
with RSA use RSA-PSS, with the MGF using the same digest as the
signature.
Hard-coding SHA-256 as the algorithm for RSA-OAEP means we don't need to
specify it as a parameter, and since it's the must-implement algorithm,
there's no reason an implementation won't support it. Folks that wish
to provide a better than 128-bit security level will use ECDH instead,
since RSA at the 192-bit level (7680 bit keys) is much slower and such
keys are not practically used.
I realize this requires implementers to add additional code, but I think
the increase in security is worth it given the number of CVEs we've seen
for padding vulnerabilities. We can tell implementers to avoid this
vulnerability until we're blue in the face, but considering that both
OpenSSL and NSS had this problem, that doesn't seem prudent.
--
brian m. carlson (he/him or they/them)
Houston, Texas, US
signature.asc
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp