[Top] [All Lists]

Re: Way Forward

2000-08-02 13:15:49

One change or another is needed. Either we need to adopt OAEP or we need to include the correct processing steps for use with PKCS#1 v1.5.


As chairman, I am trying to figure out the consensus of the work group. If everyone has enough information from this thread, then I would like to hear from folks that have an opinion but have not spoken up yet.


At 09:08 AM 08/02/2000 -0700, Eric Rescorla wrote:
Russ Housley <housley(_at_)spyrus(_dot_)com> writes:
> I do not think that we are being gratuitous.  I think that it is good
> security practice to remove any toe-hold that an attacker has.  Further, I
> do not believe that the CMS layer in current S/MIME implementations exhibit
> the behavior (or lack thereof) necessary to be immune from the attack
> against RSA PKCS#1 v1.5.
I'm sorry, Russ, but I don't understand your point. It's well known
how to protect PKCS-1 implementations from this attack: If the PKCS-1
padding is wrong, instead of throwing an error you randomize the key
and then continue. In fact, this is what essentially all SSL
implementations do. While it may be the case that current S/MIME or
CMS implementations don't do this, it's a trivial change to make and
introduces no incompatibilities.

Since adding OAEP also requires changing the code _and_ introduces
incompatibilities, ISTM that just fixing one's PKCS-1 implementation
is the dominant option.


<Prev in Thread] Current Thread [Next in Thread>