Hi folks,
As Russ points out, there are applications of S/MIME where the known chosen
ciphertext attack
on PKCS 1 encryption is applicable.
However I believe the more significant threat is that academic cryptographers
have largely
stopped looking at PKCS 1 encryption because they view it as broken from a
theoretical viewpoint.
I think this means that the risk that someone will come up with an improved
attack (or already knows
a better attack but is not publicizing it) is significant.
I'd like to raise the opinions above as an objection to increasing the
endorsement by the S/MIME
WG of PKCS 1 encryption and would prefer to see the use of OAEP encouraged.
Best regards. Simon
Eric Rescorla <ekr(_at_)speedy(_dot_)rtfm(_dot_)com> on 08/01/2000 05:18:45 PM
Please respond to EKR <rescorla(_at_)mindspring(_dot_)com>
To: Russ Housley <housley(_at_)spyrus(_dot_)com>
cc: ietf-smime(_at_)imc(_dot_)org (bcc: Simon Blake-Wilson/Certicom)
Subject: Re: Way Forward
Russ Housley <housley(_at_)spyrus(_dot_)com> writes:
The attack is probably impossible to mount using S/MIME against a
human-operated mail agent; however, I am not convinced that a mail list
agent (or other automated mail agent) would be immune. Further, CMS is
being used in many environments, not just S/MIME, and some of those
environments may have issues.
Understood, but it's trivial to patch these S/MIME agents to
be completely immune to this attack without compromising compatibility.
OAEP have been available for years. PKCS#1 v2.0 includes it. I do not
think that it is immature.
That's not the issue that I am concerned with. Rather, I'm concerned
with introducing gratuitous incompatibilities.
-Ekr