Thanks for incorporating the material. This looks generally good; I'd like
to suggest two clarifications and fix one typo, embedded below:
From: Russ Housley[SMTP:housley(_at_)spyrus(_dot_)com]
Sent: Thursday, September 17, 1998 1:42 PM
Subject: Re: Proposed CMS security considerations re PKCS #1
Thanks for the contribution. I made a few chanes to make the words flow
the rest of the Security Considerations section. PLease let me know if I
messed anything up in the process.
[inserted in CMS Security considerations]
Users of CMS, particularly those employing CMS to support interactive
applications, should be aware that PKCS #1 [RFC 2313] is vulnerable to
chosen ciphertext attacks when applied for encryption purposes.
of this identified vulnerability, revealing the result of a particular RSA
decryption, requires access to an oracle which will respond to a large
of ciphertexts (perhaps hundreds of thousands)
Suggest replacing "(perhaps hundreds of thousands)" with "(based on
currently available results, hundreds of thousands or more)".
, which are constructed
adaptively in response to previously-received replies providing
Consistent with the second paragraph, I suggest changing "the results" to
"the successes or failures"; sorry for not already having framed this
sentence in this fashion.
of attempted decryption operations. As a result, the attack
appears significantly less feasible to perpetrate for store-and-forward
environments than for directly interactive protocols. Where CMS
applied as an intermediate encryption layer within an interactive
request-response communications environment, exploitation could be more
An updated version of PKCS #1 has been published as an Internet-Draft, and
new document is targeted to become PKCS #1 Version 2.0 and to succeed RFC
2313. To resolve the adaptive chosen ciphertext vulnerability, the new
document specifies and recommends use of Optimal Asymmetric Encryption
(OAEP) when RSA encryption is applied to provide secrecy. Designers of
protocols and systems employing CMS for interactive environments should
consider usage of OAEP, or should ensure that information which could
the success or failure of attempted PKCS #1 decryption operations
Typo: "in not" -> "is not".
provided. Support for OAEP may be added to a future version of the CMS
specification once the PKCS#1 Version 2.0 is stable.