ietf-openpgp
[Top] [All Lists]

RE: paper of interest to be presented at EuroCrypt

2004-03-10 00:25:36

In UPnP Security, we started out with a better encoding mechanism, that
provably avoids the attack on PKCS#1v1.5. However, we were forced by our
developers to go back to PKCS.  The crypto libraries some of these folks
were using did PKCS#1 and nothing else.

So, we added instructions to the developers and convinced ourselves that
this made PKCS#1 safe.

http://www.upnp.org/standardizeddcps/security.asp

See p.49 of DeviceSecurity for those instructions.


 - Carl


-----Original Message-----
From: owner-ietf-openpgp(_at_)mail(_dot_)imc(_dot_)org 
[mailto:owner-ietf-openpgp(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Steven 
M. Bellovin
Sent: Tuesday, March 09, 2004 2:41 PM
To: Ian Grigg
Cc: Mike Markowitz; Hal Finney; ietf-openpgp(_at_)imc(_dot_)org
Subject: Re: paper of interest to be presented at EuroCrypt 


In message <404E3A37(_dot_)4050409(_at_)systemics(_dot_)com>, Ian Grigg 
writes:

The paper also makes some comments concerning
OpenPGP weaknesses (sans exploits) of PKCS#1 v1.5
RSA encryption and signatures (section 4.2, 4.3).

   4.2 Encryption

   As already mentioned in Section 2, GPG implements
   RSA encryption as defined by PKCS#1 v1.5.  This is
   not state-of-the-art cryptography: like with
   ElGamel, Bleichenbacker's chosen-ciphertext [4]
   can decrypt any ciphertext.  But, as mentioned
   in 3.3, the relevance of such attacks to the email
   world is debatable, in part because of the high
   number of oracle calls.  We hope that future
   versions of the OpenPGP standard, will recommend
   better RSA encryption standards (see for instance
   PKCS#1 v2.1 [20] or NESSIE [8]).

Any comments?

Presumably it is way too late in the piece to
change these methods.  My question here would be
more along the lines of whether a warning comment
should be placed in the draft document?


Adding a warning in the Security Considerations section 
would, I think, 
be necessary here.  It's a known weakness that could have serious 
consequences if, for example, the OpenPGP message format was used for 
some sort of programmatic interface, rather than for email.

              --Steve Bellovin, http://www.research.att.com/~smb