OpenSSL PKCS #7 supports AES & SHA-2 ?

Alex Alten alex at alten.org
Tue Oct 10 12:47:01 EDT 2006 

Russ,

OK.  I found SHA-2 in RFC 4634 (only 3 months old), which refers back to 
FIPS 180-2.

But I reach a dead-end with PKCS #7 (now RFC 3852).  There's no support for 
SHA-2
algorithm types (RFC 3279). Also PKCS #1 (now RFC 3447) needs an update for
SHA-2 with RSA encryption (OIDs, etc.).

Did I miss something or do you need help in updating these, since I, and 
probably
others too, need them?

- Alex


At 01:19 PM 10/9/2006 -0400, Russ Housley wrote:
>PKCS#7 has been turned over to the IETF for maintenance.  The most recent 
>version is RFC 3852.  Since the protocol is more stable than the 
>cryptographic algorithms, the algorithm discussion appear in separate RFCs.
>
>TLS 1.2 is under development in the IETF.  It is being done in such a way 
>that none of the ciphersuites that have already been defined need to be 
>updated, including the ones that use AES and the SHA-2 family.
>
>Russ
>
>
>At 01:28 AM 10/7/2006, Alex Alten wrote:
>>After reading PKCS #1 v2 more closely and SHA-2 is not even in the specs,
>>therefore OpenSSL PKCS #7 functions won't support SHA-2.  This spec was
>>last updated in 1998.
>>
>>PKCS Editor, is there a new update in progress by RSA Labs to incorporate
>>SHA-2 and AES?
>>
>>Does OpenSSL implement PKCS #1 v2 or just v1.5?  If the latter then not even
>>SHA-1 is supported.
>>
>>PKCS editor, is there any timeline as to when PKCS #7 will then be updated
>>with references to official OIDs, etc., for specifying SHA-2 and AES?
>>
>>Dr. Ron Rivest, are you going to publish new message-digest IETF RFCs for 
>>SHA-1
>>and SHA-2?  (So that they can be referenced by an updated PKCS #7.)
>>
>>Mr. Russ Housley, can you weigh in with what happening in the IETF WG 
>>security
>>area?  I know that Mr. Eric Rescorla is working on a new TLS v1.2 
>>draft.  Will this
>>be done/ratified soon?  I assume OpenSSL will incorporate this soon 
>>thereafter?
>>
>>This mess with the MD5 and SHA-1 hashes is really starting to becoming a 
>>problem.
>>It's certainly impacting new development projects/products I'm involved 
>>with using
>>SSL and PKI certificates.  My customers are concerned about using MD5 and
>>SHA-1, and they don't want to keep paying for implementations repeatedly 
>>as the
>>standards catch up to reality.  Updating these various heavily used standards
>>quickly is quite important.
>>
>>Sincerely (and thanks in advance for all of your replies),
>>
>>- Alex
>>
>>
>>At 09:05 AM 10/6/2006 -0700, Alex Alten wrote:
>>>Does anyone know if the OpenSSL PKCS #7 functions support AES and SHA-2?
>>>(I assuming OpenSSL 0.9.7 or later.)
>>>
>>>Thanks,
>>>
>>>- Alex

--

Alex Alten
Alten Security Engineering, Inc.
alex at alten.org




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list