[Top] [All Lists]

Re: Way Forward

2000-08-01 08:05:05
Russ Housley <housley(_at_)spyrus(_dot_)com> writes:
Issue:  Since the RSA patent is about to expire, Blake Ramsdell suggested 
that the RSA algorithm become the mandatory to implement algorithm for key 
management and signature.  It was pointed out that the current RSA key 
management (PKCS#1 v1.5) has a known vulnerability, so the OAEP technique 
should be employed instead.
I'm not sure what the rationale is for this and it seems to me to
present even more opportunities for incompatibility.  The
vulnerability in PKCS#1 1.5 is an adaptive chosen ciphertext attack
that requires order 2^20 messages to be processed by the recipient
with quite specific success or failure indications.  In most
applications, this isn't practical at all. Moreover, the attack is
easily countered with a simple set of checks.


[Eric Rescorla                                   ekr(_at_)rtfm(_dot_)com]

<Prev in Thread] Current Thread [Next in Thread>