Eric:
The attack is probably impossible to mount using S/MIME against a
human-operated mail agent; however, I am not convinced that a mail list
agent (or other automated mail agent) would be immune. Further, CMS is
being used in many environments, not just S/MIME, and some of those
environments may have issues.
OAEP have been available for years. PKCS#1 v2.0 includes it. I do not
think that it is immature.
Russ
At 08:11 AM 08/01/2000 -0700, Eric Rescorla wrote:
Russ Housley <housley(_at_)spyrus(_dot_)com> writes:
> Issue: Since the RSA patent is about to expire, Blake Ramsdell suggested
> that the RSA algorithm become the mandatory to implement algorithm for key
> management and signature. It was pointed out that the current RSA key
> management (PKCS#1 v1.5) has a known vulnerability, so the OAEP technique
> should be employed instead.
I'm not sure what the rationale is for this and it seems to me to
present even more opportunities for incompatibility. The
vulnerability in PKCS#1 1.5 is an adaptive chosen ciphertext attack
that requires order 2^20 messages to be processed by the recipient
with quite specific success or failure indications. In most
applications, this isn't practical at all. Moreover, the attack is
easily countered with a simple set of checks.
-Ekr
[Eric Rescorla ekr(_at_)rtfm(_dot_)com]