In OAuth: use MAC-SHA1 or RSA-SHA1?

Question

Concerning OAuth, what is the most suitable cryptography/encryption method to use HMAC-SHA1 or RSA-SHA1 ?

Thanks.

Answer 1

After looking, it's seems that HMAC is much faster and better in term of security even if the underlying hash function (SHA1) is broken, which is not the case when using RSA-SHA1.

Answer 2

In cryptography you normally go for a symmetric scheme - such as HMAC - over an asymmetric scheme - such as RSA for signing - if that is possible within the protocol. In general asymmetric primitives such as RSA (with either the v1.5 or OAEP padding scheme) are slow. They are also more prone to timing and power analysis attacks.

There are however things you can do with asymmetric algorithms that you simply cannot do with symmetric primitives. Building a PKI (certificates) is probably most obvious one. So regarding key management asymmetric primitives have the upper hand. If you get into a situation where e.g. you have to distribute one symmetric key over multiple participants then you are probably in trouble.

So choose symmetric algorithms if you can get away with it within your protocol.