API Gateway: The use of 'RSASSA-PKCS-v1_5 using SHA-256' is not recommended
book
Article ID: 187185
calendar_today
Updated On:
Products
CA API GatewayAPI SECURITYCA API Gateway Precision API Monitoring Module for API Gateway (Layer 7)CA API Gateway Enterprise Service Manager (Layer 7)STARTER PACK-7CA Microgateway
Issue/Introduction
When using the Encode JSON Web Token assertion you may see a warning referencing the below:
The use of 'RSASSA-PKCS-v1_5 using SHA-256' is not recommended The use of 'RSASSA-PKCS-v1_5 using SHA-384' is not recommended The use of 'RSASSA-PKCS-v1_5 using SHA-512' is not recommended
Environment
Release : 9.4
Component : API GATEWAY
Resolution
While the algorithm should not be used for encryption, it can still be used for signature in JWS.
Security considerations are the reason RSASSA-PKCS1-v1_5 algorithms are labeled as 'not recommended' in our GUI. From the RFC section-3.3, "A key of size 2048 bits or larger MUST be used with these algorithms.". Since the key/key-size is also chosen by the user, we wanted to bring attention to the importance of the setting without limiting their ability to choose it.