John:
Your suggested changes are incorporated....
Russ
At 10:30 AM 9/18/98 -0400, Linn, John wrote:
Russ:
Thanks for incorporating the material. This looks generally good; I'd like
to suggest two clarifications and fix one typo, embedded below:
----------
From: Russ Housley[SMTP:housley(_at_)spyrus(_dot_)com]
Sent: Thursday, September 17, 1998 1:42 PM
To: jlinn(_at_)securitydynamics(_dot_)com
Cc: ietf-smime(_at_)imc(_dot_)org
Subject: Re: Proposed CMS security considerations re PKCS #1
John:
Thanks for the contribution. I made a few chanes to make the words flow
with
the rest of the Security Considerations section. PLease let me know if I
messed anything up in the process.
Russ
[inserted in CMS Security considerations]
Users of CMS, particularly those employing CMS to support interactive
applications, should be aware that PKCS #1 [RFC 2313] is vulnerable to
adaptive
chosen ciphertext attacks when applied for encryption purposes.
Exploitation
of this identified vulnerability, revealing the result of a particular RSA
decryption, requires access to an oracle which will respond to a large
number
of ciphertexts (perhaps hundreds of thousands)
Suggest replacing "(perhaps hundreds of thousands)" with "(based on
currently available results, hundreds of thousands or more)".
, which are constructed
adaptively in response to previously-received replies providing
information on
the results
Consistent with the second paragraph, I suggest changing "the results" to
"the successes or failures"; sorry for not already having framed this
sentence in this fashion.
of attempted decryption operations. As a result, the attack
appears significantly less feasible to perpetrate for store-and-forward
S/MIME
environments than for directly interactive protocols. Where CMS
constructs
are
applied as an intermediate encryption layer within an interactive
request-response communications environment, exploitation could be more
feasible.
An updated version of PKCS #1 has been published as an Internet-Draft, and
the
new document is targeted to become PKCS #1 Version 2.0 and to succeed RFC
2313. To resolve the adaptive chosen ciphertext vulnerability, the new
document specifies and recommends use of Optimal Asymmetric Encryption
Padding
(OAEP) when RSA encryption is applied to provide secrecy. Designers of
protocols and systems employing CMS for interactive environments should
either
consider usage of OAEP, or should ensure that information which could
reveal
the success or failure of attempted PKCS #1 decryption operations
in not
Typo: "in not" -> "is not".
provided. Support for OAEP may be added to a future version of the CMS
specification once the PKCS#1 Version 2.0 is stable.
--jl