[Top] [All Lists]

Re: Way Forward

2000-08-01 13:29:55

The attack is probably impossible to mount using S/MIME against a human-operated mail agent; however, I am not convinced that a mail list agent (or other automated mail agent) would be immune. Further, CMS is being used in many environments, not just S/MIME, and some of those environments may have issues.

OAEP have been available for years. PKCS#1 v2.0 includes it. I do not think that it is immature.


At 08:11 AM 08/01/2000 -0700, Eric Rescorla wrote:
Russ Housley <housley(_at_)spyrus(_dot_)com> writes:
> Issue:  Since the RSA patent is about to expire, Blake Ramsdell suggested
> that the RSA algorithm become the mandatory to implement algorithm for key
> management and signature.  It was pointed out that the current RSA key
> management (PKCS#1 v1.5) has a known vulnerability, so the OAEP technique
> should be employed instead.
I'm not sure what the rationale is for this and it seems to me to
present even more opportunities for incompatibility.  The
vulnerability in PKCS#1 1.5 is an adaptive chosen ciphertext attack
that requires order 2^20 messages to be processed by the recipient
with quite specific success or failure indications.  In most
applications, this isn't practical at all. Moreover, the attack is
easily countered with a simple set of checks.


[Eric Rescorla                                   ekr(_at_)rtfm(_dot_)com]

<Prev in Thread] Current Thread [Next in Thread>