ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] DKIM using old RSA padding?

2011-02-28 09:02:32
Am Mon, 28 Feb 2011 09:44:25 -0500
schrieb Dave CROCKER <dhc(_at_)dcrocker(_dot_)net>:

Just for archive completeness (and to comfort folks like me who lack
crypto clue) could you offer a very brief summary of the difference
between what DKIM currently uses and what is being suggested,
especially in terms of how the newer one is better and why that might
be important?  

The difference is merely protection against hypothetical weaknesses in
the padding scheme. Old padding schemes have been made more or less in
a naive way (usually hash-then-sign), while PSS (specified in PKCS #1
2.1) provides provable security properties under certain model
asumptions.

There are no known flaws in the old padding scheme. But in theory,
there could be flaws which can be excluded by using PSS.

For details, the research papers this is based on can be found here:
http://www.cs.ucdavis.edu/~rogaway/papers/exact.html

So yes, this is nothing in any way urgent. Citing RFC 3447 / PKCS #1
2.1:
"RSASSA-PKCS1-v1_5 is included for compatibility with existing
applications, and while still appropriate for new applications, a
gradual transition to RSASSA-PSS is encouraged."


cu,
-- 
Hanno Böck              mail/jabber: hanno(_at_)hboeck(_dot_)de
GPG: BBB51E42           http://www.hboeck.de/

Attachment: signature.asc
Description: PGP signature

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html