API Gateway: The use of 'RSASSA-PKCS-v1_5 using SHA-256' is not recommended
Article ID: 187185
Updated On:
Products
CA API Gateway
API SECURITY
CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7)
CA API Gateway Enterprise Service Manager (Layer 7)
STARTER PACK-7
CA Microgateway
Issue/Introduction
When using the Encode JSON Web Token assertion you may see a warning referencing the below:
The use of 'RSASSA-PKCS-v1_5 using SHA-256' is not recommended
The use of 'RSASSA-PKCS-v1_5 using SHA-384' is not recommended
The use of 'RSASSA-PKCS-v1_5 using SHA-512' is not recommended
Environment
Release : 9.4
Component : API GATEWAY
Resolution
While the algorithm should not be used for encryption, it can still be used for signature in JWS.
Security considerations are the reason RSASSA-PKCS1-v1_5 algorithms are labeled as 'not recommended' in our GUI. From the RFC section-3.3, "A key of size 2048 bits or larger MUST be used with these algorithms.". Since the key/key-size is also chosen by the user, we wanted to bring attention to the importance of the setting without limiting their ability to choose it.
Security considerations are the reason RSASSA-PKCS1-v1_5 algorithms are labeled as 'not recommended' in our GUI. From the RFC section-3.3, "A key of size 2048 bits or larger MUST be used with these algorithms.". Since the key/key-size is also chosen by the user, we wanted to bring attention to the importance of the setting without limiting their ability to choose it.
Feedback
Yes
No
Powered by
