In UPnP Security, we started out with a better encoding mechanism, that
provably avoids the attack on PKCS#1v1.5. However, we were forced by our
developers to go back to PKCS. The crypto libraries some of these folks
were using did PKCS#1 and nothing else.
So, we added instructions to the developers and convinced ourselves that
this made PKCS#1 safe.
http://www.upnp.org/standardizeddcps/security.asp
See p.49 of DeviceSecurity for those instructions.
- Carl
-----Original Message-----
From: owner-ietf-openpgp(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-openpgp(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Steven
M. Bellovin
Sent: Tuesday, March 09, 2004 2:41 PM
To: Ian Grigg
Cc: Mike Markowitz; Hal Finney; ietf-openpgp(_at_)imc(_dot_)org
Subject: Re: paper of interest to be presented at EuroCrypt
In message <404E3A37(_dot_)4050409(_at_)systemics(_dot_)com>, Ian Grigg
writes:
The paper also makes some comments concerning
OpenPGP weaknesses (sans exploits) of PKCS#1 v1.5
RSA encryption and signatures (section 4.2, 4.3).
4.2 Encryption
As already mentioned in Section 2, GPG implements
RSA encryption as defined by PKCS#1 v1.5. This is
not state-of-the-art cryptography: like with
ElGamel, Bleichenbacker's chosen-ciphertext [4]
can decrypt any ciphertext. But, as mentioned
in 3.3, the relevance of such attacks to the email
world is debatable, in part because of the high
number of oracle calls. We hope that future
versions of the OpenPGP standard, will recommend
better RSA encryption standards (see for instance
PKCS#1 v2.1 [20] or NESSIE [8]).
Any comments?
Presumably it is way too late in the piece to
change these methods. My question here would be
more along the lines of whether a warning comment
should be placed in the draft document?
Adding a warning in the Security Considerations section
would, I think,
be necessary here. It's a known weakness that could have serious
consequences if, for example, the OpenPGP message format was used for
some sort of programmatic interface, rather than for email.
--Steve Bellovin, http://www.research.att.com/~smb