Ian Grigg <iang(_at_)systemics(_dot_)com> writes:
As already mentioned in Section 2, GPG implements RSA encryption as defined
by PKCS#1 v1.5. This is not state-of-the-art cryptography: like with
ElGamel, Bleichenbacker's chosen-ciphertext  can decrypt any ciphertext.
This came up on the S/MIME group some time ago, I did a back-of-the-envelope
calculation and came up with some figure like 6 months continuous hammering of
a mail server *specifically configured to act as an oracle* to decrypt a
message (that's not the exact figure, it may have been 8 months or something
similar, I'd have to go back and dig up the notes). My conclusion was that in
terms of things to worry about it was at about the same level as being hit by
a freak meteor.
(And before someone leaps in with "I can dream up an artificial scenario where
...", I'm quite sure you can, but it's really a "don't do that, then" issue
and not any real-world threat).
There was a brief attempt to force S/MIME to go to OAEP, but the response was
something akin to a general yawn from implementors (see "The Crypto Gardening
Guide and Planting Tips" at
http://www.cs.auckland.ac.nz/~pgut001/pubs/crypto_guide.txt for more on this).
My question here would be more along the lines of whether a warning comment
should be placed in the draft document?
"Do not custom-configure your MTA to act as an oracle for an attacker and then
let it run unattended for six months" ought to do it.