To communicate and clarify some information relevant to PKCS #1 and, more
particularly, to its usage within S/MIME:
A revised draft version of PKCS #1, targeted to become V2.0, is now
available for review on http://www.rsa.com/rsalabs/pubs/PKCS/, responding to
a recently-discovered vulnerability to adaptive chosen ciphertext attacks
and recommending use of OAEP padding when PKCS #1 RSA encryption is applied
for secrecy purposes. Comments are solicited to pkcs-editor(_at_)rsa(_dot_)com,
and
those received by Friday, 14 August will be considered in the final version.
The draft is available now in MS-Word .doc and Adobe Acrobat .pdf format;
preparation of an ASCII version is currently in progress.
Exploitation of the identified vulnerability, revealing the result of a
particular RSA decryption, requires access to an oracle which will respond
to a large number (e.g., hundreds of thousands) of ciphertexts, which are
constructed adaptively in response to previously-received replies providing
information on the results of attempted decryptions. As a result, the attack
appears appreciably less feasible to perpetrate for store-and-forward S/MIME
environments than for directly-interactive protocols (e.g., SSL, for which
the vulnerability was first identified). If S/MIME messaging constructs are
applied as an intermediate layer within an interactive request-response
communications environment, exploitation within such a context could become
more feasible.
--John Linn, RSA Laboratories