OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [wss-dev] Support for modern security algorithms in WS-Security (resend, type)



Hi Frederick and others,

For those interested in this:

WS-Security is typically configured using WS-SecurityPolicy:
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securitypolicy-1.3-spec-os.html

WS-SecurityPolicy supports SHA256 but apparently it does so only for digests.   For signature,  RSA-SHA1 is hardwired and it is not possible to switch to RSA-SHA256 ..
https://access.redhat.com/site/documentation/en-US/JBoss_Fuse/6.0/html/Web_Services_Security_Guide/files/MsgProtect-SOAP-SpecifyAlgorithmSuite.html
http://cxf.547215.n5.nabble.com/CXF-Security-policy-signature-method-td5732250.html

An interoperability issue between .NET and Websphere:
http://www.fokkog.com/2011/01/ws-security-interoperability-issue.html

Some vendors are adding support for signing with RSA-SHA2, here is information for two products:
http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/topic/com.ibm.iea.was_v8/was/8.0.0.4/Security/WAS8004_Support_SHA_Algorithms.pdf
http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.wlp.express.doc%2Fae%2Fcwlp_wssec_defaultconfig.html

https://blogs.oracle.com/gfsecurity/entry/what_s_new_in_metro
https://blogs.oracle.com/SureshMandalapu/entry/support_of_rsa_sha256_and

I note you also had a similar discussion in June on SP not being up to date XML Sig/Enc:
https://lists.oasis-open.org/archives/ws-sx/201306/maillist.html

Pim



On 11/14/2013 04:57 PM, Frederick.Hirsch@nokia.com wrote:
Pim

  Perhaps others on the list can speak to implementations.

I can say that we completed interop on XML Signature 1.1 [1] demonstrating interoperability ; that said companies often have many products and version changes so you should check with vendors regarding product information.
I'm not up to date on the status and evolution of WSS products (if you learn anything and can share I'd be curious)

This latest news is also probably relevant:

"Hoping to avert “collision” with disaster, Microsoft retires SHA1
After 2016, Microsoft will stop accepting the collision-prone crypto algorithm"

http://arstechnica.com/security/2013/11/hoping-to-avert-collision-with-disaster-microsoft-retires-sha1/

regards, Frederick

Frederick Hirsch, Nokia
Chair XML Security WG

[1] see http://www.w3.org/TR/2012/NOTE-xmldsig-core1-interop-20121113/

On Nov 14, 2013, at 10:47 AM, ext Pim van der Eijk wrote:


Hello Frederick,

Thanks for confirming this.   Hopefully the OASIS BRSP BSP can still be updated to reference the current versions and recommendations.

 From your experience,  is XML Security 1.1 (and therefore newer algorithms like SHA-256) supported well (and interoperably) in commercial and open source Web Services security toolkits and products?

Kind Regards,

Pim

On 11/14/2013 04:14 PM, Frederick.Hirsch@nokia.com wrote:
Pim

resend, fixed typo, "now both recommendations"


XML Security 1.1 has updated algorithm information;

http://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/

http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/

SHA-256 is REQUIRED in XML Signature 1.1;  SHA-1 required but use is discouraged.

"Note: Use of SHA-256 is strongly recommended over SHA-1 because recent advances in cryptanalysis (see e.g. [SHA-1-Analysis], [SHA-1-Collisions] ) have cast doubt on the long-term collision resistance of SHA-1."


XML Signature Best Practices has updated information on threats, countermeasures and algorithms that might be useful as well:

http://www.w3.org/TR/2013/NOTE-xmldsig-bestpractices-20130411/


It seems WSS references XML Signature  from 2002 which is 2 versions behind (2nd Edition and 1.1 are now both Recommendations and incorporate algorithm updates, security updates, clarifications see [1] ).

regards, Frederick

Frederick Hirsch, Nokia
Chair XML Security WG

[1] http://www.w3.org/TR/2013/NOTE-xmldsig-core1-explain-20130411/  for 1.1

and http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/explain.html for 2nd edition

On Nov 14, 2013, at 4:32 AM, ext Pim van der Eijk wrote:


Hello,

I am working on a project where WS-Security is being proposed.  Security experts have pointed to some guideline documents that mention more modern security algorithms than are recommended in the BSP and in some other Web Services-related guidelines I have seen.

Do WS-Security toolkits and vendor products these days commonly support these newer algorithms like SHA-256,  so can a community therefore mandate them, or are most toolkits still limited to SHA-1 and would mandating SHA-256 create interoperability problems?

Kind Regards,

Pim van der Eijk


-------- Original Message --------
Subject:	[ws-brsp] BSP: SHA1 Preferred ?
Date:	Wed, 13 Nov 2013 19:14:18 +0100
From:	Pim van der Eijk <pvde@sonnenglanz.net>
To:	ws-brsp@lists.oasis-open.org


Hello,

My first question on this list,  sorry for not having had time for this TC before.

http://docs.oasis-open.org/ws-brsp/BasicSecurityProfile/v1.1/csprd01/BasicSecurityProfile-v1.1-csprd01.html#_Toc364859639

9.6.1  SHA-1 Preferred

The SHA-1 Digest algorithm is widely-implemented and interoperable hence the recommendation that it be used for signature digests.
R5420 Any DIGEST_METHOD Algorithm attribute SHOULD have the value "http://www.w3.org/2000/09/xmldsig#sha1";.


While interoperable, there are concerns that SHA-1 is no longer secure. Current guidelines do not longer recommend SHA-1 but instead recommend moving to SHA-256 or higher:

http://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/#sec-MessageDigests
"This specification defines several possible digest algorithms for the DigestMethod element, including REQUIRED algorithm SHA-256. Use of SHA-256 is strongly recommended over SHA-1 because recent advances in cryptanalysis (see e.g. [SHA-1-Analysis]) have cast doubt on the long-term collision resistance of SHA-1. Therefore, SHA-1 support is REQUIRED in this specification only for backwards-compatibility reasons."

http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report
"SHA-1 as a hash function only for legacy applications"

http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
"FIPS PUB 180-4 (using SHA-256 and SHA-384)"

Shouldn't the BSP make recommendations consistent with current security recommendations?

Kind Regards,

Pim van der Eijk














[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]