John:
Thanks for the contribution. I made a few chanes to make the words flow with
the rest of the Security Considerations section. PLease let me know if I
messed anything up in the process.
Russ
[inserted in CMS Security considerations]
Users of CMS, particularly those employing CMS to support interactive
applications, should be aware that PKCS #1 [RFC 2313] is vulnerable to
adaptive
chosen ciphertext attacks when applied for encryption purposes. Exploitation
of this identified vulnerability, revealing the result of a particular RSA
decryption, requires access to an oracle which will respond to a large number
of ciphertexts (perhaps hundreds of thousands), which are constructed
adaptively in response to previously-received replies providing information on
the results of attempted decryption operations. As a result, the attack
appears significantly less feasible to perpetrate for store-and-forward S/MIME
environments than for directly interactive protocols. Where CMS constructs
are
applied as an intermediate encryption layer within an interactive
request-response communications environment, exploitation could be more
feasible.
An updated version of PKCS #1 has been published as an Internet-Draft, and the
new document is targeted to become PKCS #1 Version 2.0 and to succeed RFC
2313. To resolve the adaptive chosen ciphertext vulnerability, the new
document specifies and recommends use of Optimal Asymmetric Encryption Padding
(OAEP) when RSA encryption is applied to provide secrecy. Designers of
protocols and systems employing CMS for interactive environments should either
consider usage of OAEP, or should ensure that information which could reveal
the success or failure of attempted PKCS #1 decryption operations in not
provided. Support for OAEP may be added to a future version of the CMS
specification once the PKCS#1 Version 2.0 is stable.