Simon Blake-Wilson wrote:
Hi folks,
As Russ points out, there are applications of S/MIME where the known chosen
ciphertext attack
on PKCS 1 encryption is applicable.
However I believe the more significant threat is that academic cryptographers
have largely
stopped looking at PKCS 1 encryption because they view it as broken from a
theoretical viewpoint.
I think this means that the risk that someone will come up with an improved
attack (or already knows
a better attack but is not publicizing it) is significant.
Investigating other weaknesses in PKCS 1 is still of academic interest since
several secure protocols which are widely deployed still use it, namely TLS and
SSL.
bob