ietf-smime
[Top] [All Lists]

Proposed CMS security considerations re PKCS #1

1998-09-02 10:39:41
At last week's S/MIME WG session, I accepted an action per Russ' suggestion
to propose text for the security considerations section of CMS dealing with
the PKCS #1 vulnerability issue.  I've attached a proposal; if the PKCS #1
V2 document makes it to Informational RFC before the WG Last-Call on CMS
closes, I'd hope to update the citation correspondingly.  Comments?

--John Linn, RSA Laboratories

[insert in CMS Security considerations]

Users of CMS, particularly those employing CMS to support interactive
applications, should be aware that PKCS #1 as documented in RFC-2313 is
vulnerable to adaptive chosen ciphertext attacks when applied for encryption
purposes. Exploitation of the identified vulnerability, revealing the result
of a particular RSA decryption, requires access to an oracle which will
respond to a large number (e.g., hundreds of thousands) of ciphertexts,
which are constructed adaptively in response to previously-received replies
providing information on the results of attempted decryptions. As a result,
the attack appears significantly less feasible to perpetrate for
store-and-forward S/MIME environments than for directly interactive
protocols.  Where CMS constructs are applied as an intermediate layer within
an interactive request-response communications environment, exploitation
could be more feasible. 

A revised version of PKCS #1, targeted to become PKCS #1 V2.0 and to succeed
RFC-2313, has been published as an Internet-Draft, and specifies and
recommends use of Optimal Asymmetric Encryption Padding (OAEP) when RSA
encryption is applied for secrecy purposes in order to resolve this
vulnerability.  Designers of systems employing CMS within interactive
environments should either consider usage of this revised padding (which may
become a candidate for citation in a future version of the CMS
specification), or should ensure that their applications do not return
information which could reveal the success or failure of attempted PKCS #1
decryption operations. 



<Prev in Thread] Current Thread [Next in Thread>