2

I'm working on a solution where JWE is needed between an Android app and a backend written in Node.JS, using node-jose. I've been struggling a lot since it seems there is no out of the box compatibility between Android - if you want to use the HW backed keystore - and any node JWE library when it comes to the RSA key, because:

  • Android supports these ciphers for the HW backed AndroidKeyStore provider. Note, RSA-OAEP-256 (MGF1 SHA-256) is NOT supported; for some reason Android only supports MGF with SHA-1 even for OAEP-256.
  • node-jose only seems to support OAEP schemes with the same MD for OAEP and the MGF:
  • Nimbus JOSE Java library doesn't support the Android KeyStore out of the box, but I've patched it to use RSA/ECB/OAEPWithSHA-256AndMGF1Padding(SHA-1)
  • Nimbus JOSE has deprecated RSA-OAEP (SHA-1) in favor of RSA-OAEP (SHA-256)

The incompatibility is surprising to me, you'd think there would be an off-the-shelf solution for implementing JWE between Node.JS and Android. But I'm wondering about RSA OAEP SHA-1. Nimbus JOSE deprecated it, is it discouraged to use it? Has it been proven vulnerable?

Also, in the future, I want to support the iPhone. I don't know much about iOS, but it seems Apple also has an HW protected key store ("Secure Enclave"). However, it only supports EC!

So if one wanted to build a solution where a mobile phone and a backend server uses JWE for encrypted communication, what's my best bet? My idea is that the mobile app creates a key pair in its hardware-backed Keystore, gives the public key to the backend, and the backend can then create JWEs where the public key is used to encrypt the CEK. But considering Android only supports RSA with some flavors such as RSA OAEP with SHA-256 andMGF1+SHA1, and Apple only supports EC, I guess I'd have to support both RSA and EC on the backend, and if needed patch libraries such as node-jose and node-forge to fit my needs. But perhaps I'm going around this all wrong?

Ref: node-jose issue

JHH
  • 121
  • 4

1 Answers1

3

node-jose only supports RSA OAEP with SHA-1 and no MGF1 or RSA OAEP with SHA-256 and no MGF1

That's extremely unlikely since OAEP does need to use a Mask Generation Function, and there is only one defined: MGF1. So maybe it doesn't specify it explicitly, but it really must support it to be called OAEP.

But I'm wondering about RSA OAEP SHA-1. Nimbus JOSE deprecated it, is it discouraged to use it? Has it been proven vulnerable?

No. Best to compare MGF1 with an expanding key derivation function probably. For this kind of use SHA-1 is still secure, even though the relatively small output size doesn't help. It certainly doesn't depend on the collision resistance.

However, I've had plenty of entities asking to deprecate SHA-1 in its entirety. The problem is that it is a huge red flag for auditors, who then have to look if the use of the hash is secure. And, to be honest, many auditors wouldn't know how to qualify if it is secure or not, so they see it as an avoidable risk. Which, to be honest, it probably is.

But perhaps I'm going around this all wrong?

I don't know, it seems that Apple supports RSA for encryption if I look at the description here.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323