[Top] [All Lists]

Re: Way Forward

2000-08-02 10:20:05
Hi folks,

As Russ points out, there are applications of S/MIME where the known chosen
ciphertext attack
on PKCS 1 encryption is applicable.

However I believe the more significant threat is that academic cryptographers
have largely
stopped looking at PKCS 1 encryption because they view it as broken from a
theoretical viewpoint.
I think this means that the risk that someone will come up with an improved
attack (or already knows
a better attack but is not publicizing it) is significant.

I'd like to raise the opinions above as an objection to increasing the
endorsement by the S/MIME
WG of PKCS 1 encryption and would prefer to see the use of OAEP encouraged.

Best regards. Simon

Eric Rescorla <ekr(_at_)speedy(_dot_)rtfm(_dot_)com> on 08/01/2000 05:18:45 PM

Please respond to EKR <rescorla(_at_)mindspring(_dot_)com>

To:   Russ Housley <housley(_at_)spyrus(_dot_)com>
cc:   ietf-smime(_at_)imc(_dot_)org (bcc: Simon Blake-Wilson/Certicom)
Subject:  Re: Way Forward

Russ Housley <housley(_at_)spyrus(_dot_)com> writes:
The attack is probably impossible to mount using S/MIME against a
human-operated mail agent; however, I am not convinced that a mail list
agent (or other automated mail agent) would be immune.  Further, CMS is
being used in many environments, not just S/MIME, and some of those
environments may have issues.
Understood, but it's trivial to patch these S/MIME agents to
be completely immune to this attack without compromising compatibility.

OAEP have been available for years.  PKCS#1 v2.0 includes it.  I do not
think that it is immature.
That's not the issue that I am concerned with. Rather, I'm concerned
with introducing gratuitous incompatibilities.


<Prev in Thread] Current Thread [Next in Thread>