ietf-openpgp
[Top] [All Lists]

Re: [openpgp] RSA-PSS and RSA-OAEP for v5

2021-02-27 21:50:13
brian m. carlson <sandals(_at_)crustytoothpaste(_dot_)net> writes:

I'm interested in seeing if we can require v5 SKESK packets with RSA use RSA-
OAEP with SHA-256 and MGF1-SHA-256 and require that v5 signatures with RSA
use RSA-PSS, with the MGF using the same digest as the signature.

Apart from adding a huge amount of complexity and potential interop problems,
you're not really gaining anything by this that isn't already addressed by
"MUST use encode-them-memcmp() for signatures".  PKCS #1 signing is perfectly
secure if you do that, and PKCS #1 encryption doesn't matter much because PGP
isn't likely to be used in situations where it acts as an online million-
message oracle.

See also my post to the cryptography list last year about all the games an
attacker can play with OAEP because the parameters aren't authenticated and
therefore attacker-controlled.

Peter.


_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp