On Wed, 17 Jul 2002 15:26:38 +0900, "Jim Schaad" wrote:
There is one large difference between TLS and CMS. The TLS protocol has
already been modified to deal with the attacks on PKCS#1 v1.5, CMS has
not been modified to deal with these attacks. Therefore I do not
necessarily think that the TLS conclusion on this is sufficient.
Well strictly speaking there was no modification to the TLS protocol
per se, only how implementations handle PKCS#1 padding failures... er well I
guess that kind of is a modification to the protocol.
Besides that, I agree with Peter. The side-channel attacks in CMS have to
be addressed anyway, because people will support PKCS#1 for backwards
interoperability with existing implementations. There is no problem with
S/MIME (as you have no random oracle), and the same is most likely true
for any other CMS based application.
It would be much better to make OAEP a SHOULD and give the appropriate
recommendations to avoid side-channel attacks for the PKCS#1 stuff (and any
of the various other side-channel attacks e.g. timing analysis, Vaudenay
attack on CBC, etc). There is a lot of infrastructure already heavily
invested in PKCS#1, some of which (like hardware accelerators for example)
will take a while to change.
Dean Povey, |em: povey(_at_)wedgetail(_dot_)com|JCSI: Java security
Wedgetail Communications|ph: +61 7 3023 5139 |uPKI: Embedded/C PKI toolkit
Level 14, 388 Queen St, |fax: +61 7 3864 1282 |uSSL: Embedded/C SSL toolkit
Brisbane, Australia |www: www.wedgetail.com |XML Security: XML Signatures