Re: [wss-dev] Support for modern security algorithms in WS-Security (resend, type)

[Pim van der Eijk <lists@sonnenglanz.net>]

Hello Frederick,

Thanks for confirming this.   Hopefully the OASIS BRSP BSP can still be updated to reference the current versions and recommendations.

From your experience,  is XML Security 1.1 (and therefore newer algorithms like SHA-256) supported well (and interoperably) in commercial and open source Web Services security toolkits and products? 

Kind Regards,

Pim

On 11/14/2013 04:14 PM, Frederick.Hirsch@nokia.com wrote:

Pim

resend, fixed typo, "now both recommendations"

XML Security 1.1 has updated algorithm information; 

http://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/

http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/

SHA-256 is REQUIRED in XML Signature 1.1;  SHA-1 required but use is discouraged.

"Note: Use of SHA-256 is strongly recommended over SHA-1 because recent advances in cryptanalysis (see e.g. [SHA-1-Analysis], [SHA-1-Collisions] ) have cast doubt on the long-term collision resistance of SHA-1."

XML Signature Best Practices has updated information on threats, countermeasures and algorithms that might be useful as well:

http://www.w3.org/TR/2013/NOTE-xmldsig-bestpractices-20130411/

It seems WSS references XML Signature  from 2002 which is 2 versions behind (2nd Edition and 1.1 are now both Recommendations and incorporate algorithm updates, security updates, clarifications see [1] ).

regards, Frederick

Frederick Hirsch, Nokia

Chair XML Security WG

[1] http://www.w3.org/TR/2013/NOTE-xmldsig-core1-explain-20130411/  for 1.1

and http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/explain.html for 2nd edition

On Nov 14, 2013, at 4:32 AM, ext Pim van der Eijk wrote:

Hello,

I am working on a project where WS-Security is being proposed.  Security experts have pointed to some guideline documents that mention more modern security algorithms than are recommended in the BSP and in some other Web Services-related guidelines I have seen.   

Do WS-Security toolkits and vendor products these days commonly support these newer algorithms like SHA-256,  so can a community therefore mandate them, or are most toolkits still limited to SHA-1 and would mandating SHA-256 create interoperability problems?

Kind Regards,

Pim van der Eijk


-------- Original Message --------

Subject:	[ws-brsp] BSP: SHA1 Preferred ?
Date:	Wed, 13 Nov 2013 19:14:18 +0100
From:	Pim van der Eijk <pvde@sonnenglanz.net>
To:	ws-brsp@lists.oasis-open.org

Hello,

My first question on this list,  sorry for not having had time for this TC before.

http://docs.oasis-open.org/ws-brsp/BasicSecurityProfile/v1.1/csprd01/BasicSecurityProfile-v1.1-csprd01.html#_Toc364859639

9.6.1  SHA-1 Preferred

The SHA-1 Digest algorithm is widely-implemented and interoperable hence the recommendation that it be used for signature digests.

R5420 Any DIGEST_METHOD Algorithm attribute SHOULD have the value "http://www.w3.org/2000/09/xmldsig#sha1".

While interoperable, there are concerns that SHA-1 is no longer secure. Current guidelines do not longer recommend SHA-1 but instead recommend moving to SHA-256 or higher:

http://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/#sec-MessageDigests
"This specification defines several possible digest algorithms for the DigestMethod element, including REQUIRED algorithm SHA-256. Use of SHA-256 is strongly recommended over SHA-1 because recent advances in cryptanalysis (see e.g. [SHA-1-Analysis]) have cast doubt on the long-term collision resistance of SHA-1. Therefore, SHA-1 support is REQUIRED in this specification only for backwards-compatibility reasons."

http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report 
"SHA-1 as a hash function only for legacy applications"

http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml  
"FIPS PUB 180-4 (using SHA-256 and SHA-384)"

Shouldn't the BSP make recommendations consistent with current security recommendations?

Kind Regards,

Pim van der Eijk