ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Charter Update

2002-04-19 07:46:36
from [Robert Zuccherato] [Permanent Link] 
Russ;

Having not attended the Minneapolis meeting I must say that I was very
surprised by your recommendation to drop OAEP as the MUST implement key
transport mechanism with AES in favour of KEM.  It wasn't all that long ago
that you were attempting to get everyone (S/MIME, TLS, X9.44) to agree on
requiring OAEP with AES as a method of transitioning to OAEP from PKCS#1
v1.5.  Partly as a result of that effort, implementations of OAEP have
started to appear (e.g. OpenSSL) and transitions to OAEP can actually now
start to occur.  If we are going to introduce a new MUST algorithm, and thus
additional uncertainty about what to use and how to transition, we really
should have a good reason.

In your presentation you say that KEM has better security proofs.  That may
be, however, OAEP is still secure.  No actual weaknesses in it have been
found.  On RSA's website there is a description of recent results on OAEP
that says "... it makes little sense replacing OAEP with a "more secure"
encoding method, because if a CCA2 adversary is able to break RSAEP-OAEP,
then she will be able to break RSAEP equipped with any encoding method (if
maybe slightly less efficiently)."
(http://www.rsasecurity.com/rsalabs/rsa_algorithm/oaep_security.html)  Thus,
there is no need to introduce KEM for security reasons.

Your presentation also lists some standards that already include KEM.
However, all of the ones that are listed except TLS also specify OAEP (ANSI
X9.44, IEEE P1363, ISO/IEC 18033-2, PKCS#1, S/MIME).  TLS, while it
specifies a variant of KEM, doesn't actually use anything that is compatible
with the KEM that S/MIME (and the other groups listed) would be using.  I
would also like to point out that XML Encryption has OAEP as a required key
transport method.  At this point it does seem like OAEP is starting to get
adopted by other groups and thus introducing KEM now seems to be
counterproductive.

It is true that with OAEP the message length is bounded.  However, for our
requirements here, is that really an issue?  

For these reasons I think we should reconsider your proposal to use RSA-KEM
instead of RSA-OAEP in draft-ietf-smime-aes-alg.


Robert Zuccherato
Entrust, Inc.



-----Original Message-----
From: Housley, Russ [mailto:rhousley(_at_)rsasecurity(_dot_)com]
Sent: Wednesday, April 17, 2002 4:57 PM
To: ietf-smime(_at_)imc(_dot_)org
Subject: Charter Update


The S/MIME WG is very out of date.  I propose the attached 
charter as a 
replacement.

Note that I have assumed that the use of RSA OAEP key 
management will be 
published as a separate RFC (not combined with the AES draft).  The 
rationale for this assumption is available in the 
presentation that I gave 
in Minneapolis.  The slides are on-line at 
http://www.ietf.org/proceedings/02mar/slides/smime-1/index.html.

Please comment on the proposed charter.

Russ
S/MIME WG Chair
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Compression within RFC2633bis?, Housley, Russ
Next by Date:  RE: Charter Update, Peter Gutmann
Previous by Thread:  Charter Update, Housley, Russ
Next by Thread:  RE: Charter Update, Peter Gutmann
Indexes:  [Date] [Thread] [Top] [All Lists]