API Gateway: The use of 'RSASSA-PKCS-v1_5 using SHA-256' is not recommended

book

Article ID: 187185

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

When using the Encode JSON Web Token assertion you may see a warning referencing the below:

The use of 'RSASSA-PKCS-v1_5 using SHA-256' is not recommended
The use of 'RSASSA-PKCS-v1_5 using SHA-384' is not recommended
The use of 'RSASSA-PKCS-v1_5 using SHA-512' is not recommended

Environment

Release : 9.4

Component : API GATEWAY

Resolution

While the algorithm should not be used for encryption, it can still be used for signature in JWS.

Security considerations are the reason RSASSA-PKCS1-v1_5 algorithms are labeled as 'not recommended' in our GUI. From the RFC section-3.3, "A key of size 2048 bits or larger MUST be used with these algorithms.".  Since the key/key-size is also chosen by the user, we wanted to bring attention to the importance of the setting without limiting their ability to choose it. 

Attachments