Switch to better default signing and encryption algorithms

Question

Switch to better default signing and encryption algorithms

codedust opened this issue 4 years ago · 0 comments

Currently, the library does not define the best algorithm choices for encryption and signing:

Signing
Please use PS256 per default instead of RS256. See, e.g., https://www.scottbrady91.com/JOSE/JWTs-Which-Signing-Algorithm-Should-I-Use

Also, in the README, the use of RSA-256 is described. However, RSA-256 does not exist according to RFC 7518.

Key Encryption
Please use RSA-OAEP-256 per default instead of RSA-OAEP (which uses SHA1). Severe attacks against SHA1 have been found in 2017 [1] and 2020 [2] [3]. Also, e.g. see the warning in MDN [4].

[1] https://shattered.io/
[2] https://www.schneier.com/blog/archives/2020/01/new_sha-1_attac.html
[3] https://eprint.iacr.org/2020/014.pdf
[4] https://developer.mozilla.org/en-US/docs/Web/API/RsaHashedKeyGenParams