[Top] [All Lists]

Re: paper of interest to be presented at EuroCrypt

2004-03-09 15:40:42

In message <404E3A37(_dot_)4050409(_at_)systemics(_dot_)com>, Ian Grigg writes:

The paper also makes some comments concerning
OpenPGP weaknesses (sans exploits) of PKCS#1 v1.5
RSA encryption and signatures (section 4.2, 4.3).

   4.2 Encryption

   As already mentioned in Section 2, GPG implements
   RSA encryption as defined by PKCS#1 v1.5.  This is
   not state-of-the-art cryptography: like with
   ElGamel, Bleichenbacker's chosen-ciphertext [4]
   can decrypt any ciphertext.  But, as mentioned
   in 3.3, the relevance of such attacks to the email
   world is debatable, in part because of the high
   number of oracle calls.  We hope that future
   versions of the OpenPGP standard, will recommend
   better RSA encryption standards (see for instance
   PKCS#1 v2.1 [20] or NESSIE [8]).

Any comments?

Presumably it is way too late in the piece to
change these methods.  My question here would be
more along the lines of whether a warning comment
should be placed in the draft document?

Adding a warning in the Security Considerations section would, I think, 
be necessary here.  It's a known weakness that could have serious 
consequences if, for example, the OpenPGP message format was used for 
some sort of programmatic interface, rather than for email.

                --Steve Bellovin,