ietf-smime
[Top] [All Lists]

RE: Why KEM?, RE: Charter Update

2002-05-07 13:18:19
Burt;

I agree that those are definitely advantages of KEM over OAEP.  However, a
number of standards (1363, PKCS#1, etc.) have already specified OAEP and
some people have already implemented it.  S/MIME is currently on the -04
version of a draft that mandates OAEP with AES. Thus, without a demonstrated
weakness with OAEP I still don't see a reason to change.  I don't see the
tighter bounds for KEM and the better architectural fit as being worth the
trouble of starting to specify a new encryption padding method.  Doing so
will necessarily cause additional interoperability and implementation
issues.  We already have an adequate replacement for PKCS #1 v1.5, why do we
need another one?

        Robert.

-----Original Message-----
From: Kaliski, Burt [mailto:BKaliski(_at_)rsasecurity(_dot_)com]
Sent: Monday, May 06, 2002 2:20 PM
To: 'ietf-smime(_at_)imc(_dot_)org'
Cc: Housley, Russ; Kaliski, Burt
Subject: RE: Why KEM?, RE: Charter Update



Russ asked me to join this discussion to explain the 
motivation for KEM.
(Please cc: me on further messages on this thread as I'm not 
a subscriber to
the ietf-smime list.) 
RSA-KEM's primary advantages over RSA-OAEP are: 
1. RSA-KEM's security bounds are tighter. RSA-KEM has been 
proved (in the
random oracle model) to be very close in security to the RSA problem.
RSA-OAEP has been proved (in the same model) to offer 
security that grows in
proportion to the security of the RSA problem, but for 
typical RSA key sizes
the provable level of security is not very high. While no 
attacks faster
than solving the RSA problem are known against RSA-OAEP if it 
is properly
implemented, it would be better if faster attacks could be ruled out
explicitly. 
2. RSA-KEM fits better architecturally. RSA-KEM follows the 
model described
by Victor Shoup, which combines a public-key "encapsulation" 
operation with
a symmetric key operation, such as the AES KeyWrap. The same 
symmetric key
operation can be combined with different public-key methods (RSA,
Diffie-Hellman, elliptic curve). It can also be used for wrapping a
symmetric key with another symmetric key. Thus, in future versions of
S/MIME, AES content-encryption keys can all be wrapped with 
AES KeyWrap. The
only difference among the public key methods would be how the 
wrapping key
is derived. RSA-OAEP, in contrast, uses a different technique 
than other
public-key methods (OAEP formatting) for processing the 
symmetric keys. 
RSA-OAEP is still fine to use, but RSA-KEM is better. As part 
of continually
improving the infrastructure, I believe it is worthwhile to introduce
support for RSA-KEM as standards are updated. Since S/MIME 
implementations
are being upgraded to support AES, this is a convenient time 
to introduce a
more robust public-key method as well. 
-- Burt Kaliski
RSA Laboratories 

<Prev in Thread] Current Thread [Next in Thread>