Russ Housley <housley(_at_)spyrus(_dot_)com> writes:
I do not think that we are being gratuitous. I think that it is good
security practice to remove any toe-hold that an attacker has. Further, I
do not believe that the CMS layer in current S/MIME implementations exhibit
the behavior (or lack thereof) necessary to be immune from the attack
against RSA PKCS#1 v1.5.
I'm sorry, Russ, but I don't understand your point. It's well known
how to protect PKCS-1 implementations from this attack: If the PKCS-1
padding is wrong, instead of throwing an error you randomize the key
and then continue. In fact, this is what essentially all SSL
implementations do. While it may be the case that current S/MIME or
CMS implementations don't do this, it's a trivial change to make and
introduces no incompatibilities.
Since adding OAEP also requires changing the code _and_ introduces
incompatibilities, ISTM that just fixing one's PKCS-1 implementation
is the dominant option.