Is RSA-OAEP deprecated?

Question

I need asymmetric pub/private keypair encryption in JavaScript. Web browsers support RSA-OAEP, which works exactly as I need. But there is a table which lists supported algorithms for web crypto at https://diafygi.github.io/webcrypto-examples/ ... and RSA-OAEP is marked using red color (Discouraged, only use for backwards compatibility).

Is there any problem with RSA-OAEP? Should it be replaced by different algos? Or do you think that the person who wrote the table was wrong by marking RSA-OAEP red? Thank you

Answer 1

RSA in general is often considered to be "discouraged" for new projects. For quite some years, the rallying cry has been "switch to elliptic curves", but nowadays there are calls for going straight for so-called "post-quantum" schemes.

RSA benefits from having survived a lot of public scrutiny (arguably, integer factorization is a problem that has been studied for three millennia at least), and while there has been substantial progress in cryptanalysis, 2048-bit RSA key are likely to remain secure for a long time. There are also good and bad ways to use RSA for asymmetric encryption, but RSA-OAEP is about as good as you can get with RSA, so that's fine.

Elliptic curves offer better performance (on the decryption side) and are more fashionable. What this means is that before being actually broken, RSA may become disused, meaning that you will get interoperability issues, and implementations will be poorly maintained at some point. In my view, none of this is critical.

Quantum computers eat RSA keys for breakfast; however, they also munge through elliptic curves at lunch time, so that's not a good argument for switching to curves. It's a fortunate thing that quantum computers don't really exist yet (and whether they will exist at some point is an open question). "Post-quantum" schemes are algorithms that appear to resist quantum computers (specifically, these are algorithms for which no efficient quantum-solving attack is known – which does not mean that such attacks don't exist!). There is no real post-quantum drop-in replacement for classic algorithms yet (there are good candidates, but a lot of standardization and implementation deployment is still needed).

Answer 2

You'll have to ask the author of that site why they made that assessment.

Although there's no technical reason to prefer RSA-OAEP over the much simpler (to implement and to study) RSA-KEM, RSA-OAEP is more widely standardized and deployed, as RSAES-OAEP in PKCS#1 v2.

There are other RSA-based public-key encryption schemes out there, but since that site doesn't list any of them, my only guess is that the author of that site prefers ECDH-based public-key key encapsulation methods over all RSA-based public-key encryption schemes.

But largely, WebCrypto was based on parroting standards full of acronym soup for backwards compatibility with archaic pantheons of cryptographic doohickeys, rather than carefully analyzing crypto engineering needs of novel applications like NaCl. So who can say what rhyme or reason goes into the product of that process?

This table itself doesn't help by confounding many unrelated operations and security properties into a single table, as if there were any reason to put RSASSA-PSS and RSAES-OAEP and AES-CMAC and AES-CTR side by side in a single table as if they were comparable types of objects—magic crypto black boxes with a different subset of buttons you can push to summon the crypto fairies.

Answer 3

The table that you cite should not be considered authoritative. There is nothing wrong with using RSA-OAEP. It is a well-studied protocol based on RSA primitives and more than twenty years of subsequent research into the nature of cryptographic security.

The primary disadvantage of RSA-OAEP is that the RSA keys are less efficient than than those used by the corresponding elliptic curve operations. By "less efficient" I mean that when you compare RSA and elliptic curve cryptography for keys of similar strength, the RSA keys take longer to generate, they are larger, and they are slower to use for decryption.

With that said, you may be interested in this 2015 article by Koblitz and Menezes that appeared in IEEE Security and Privacy, an unfortunately named article A Riddle Wrapped in an Enigma? The answer seems to be that the math of RSA is better studied and understood than the math of elliptic curves. RSA may offer better resistance against smaller quantum computers than elliptic curve crypto.

Since the largest quantum computers these days have on the order of 50 qubits, and since around 20 million noisy qubits are needed to factor RSA 2048, I think that you'll be fine with RSA-OAEP. Besides, there are no standardized PQ algorithms to use at this point.