Eric:
One change or another is needed. Either we need to adopt OAEP or we need
to include the correct processing steps for use with PKCS#1 v1.5.
All:
As chairman, I am trying to figure out the consensus of the work
group. If everyone has enough information from this thread, then I would
like to hear from folks that have an opinion but have not spoken up yet.
Russ
At 09:08 AM 08/02/2000 -0700, Eric Rescorla wrote:
Russ Housley <housley(_at_)spyrus(_dot_)com> writes:
> I do not think that we are being gratuitous. I think that it is good
> security practice to remove any toe-hold that an attacker has. Further, I
> do not believe that the CMS layer in current S/MIME implementations
exhibit
> the behavior (or lack thereof) necessary to be immune from the attack
> against RSA PKCS#1 v1.5.
I'm sorry, Russ, but I don't understand your point. It's well known
how to protect PKCS-1 implementations from this attack: If the PKCS-1
padding is wrong, instead of throwing an error you randomize the key
and then continue. In fact, this is what essentially all SSL
implementations do. While it may be the case that current S/MIME or
CMS implementations don't do this, it's a trivial change to make and
introduces no incompatibilities.
Since adding OAEP also requires changing the code _and_ introduces
incompatibilities, ISTM that just fixing one's PKCS-1 implementation
is the dominant option.
-Ekr