Russ Housley <housley(_at_)spyrus(_dot_)com> writes:
Issue: Since the RSA patent is about to expire, Blake Ramsdell suggested
that the RSA algorithm become the mandatory to implement algorithm for key
management and signature. It was pointed out that the current RSA key
management (PKCS#1 v1.5) has a known vulnerability, so the OAEP technique
should be employed instead.
I'm not sure what the rationale is for this and it seems to me to
present even more opportunities for incompatibility. The
vulnerability in PKCS#1 1.5 is an adaptive chosen ciphertext attack
that requires order 2^20 messages to be processed by the recipient
with quite specific success or failure indications. In most
applications, this isn't practical at all. Moreover, the attack is
easily countered with a simple set of checks.
-Ekr
[Eric Rescorla ekr(_at_)rtfm(_dot_)com]