[Top] [All Lists]

AES and PKCS #1 v1.5 Issue

2002-07-16 22:41:22

This message is intended to start the final discussion on the question
of forcing AES to use RSA-OAEP in the AES draft.

At the face-to-face meeting, I indicated that it is still my belief that
we should prohibit the use of RSA PKCS#1 v1.5 to transport AES keys due
to the somewhat weaker security provided by this method.  While I agree
that there is no known attack against RSA PKCS#1 v1.5 in the case of
S/MIME (as a store-and-forward mail system), I do believe that one can
construct an attack against an arbitrary CMS-based protocol.  Since this
is a discussion of how to use AES with CMS and not just with S/MIME, I
believe that the more general case should rule what happens in this

Having done implementations of the RSA-OAEP padding already, I do NOT
believe that there is a serious development hurdle to getting RSA-OAEP

The face-to-face meeting was presented with the following choices:

1.  Leave the ban on RSA PKCS#1 v1.5 as is currently present in the
2.  Remove the ban, but allow the author to present a diatribe on why
it's a bad idea.
3.  Remove the ban entirely and force an update to SMimeCapabilities to
allow for products to advise that the combination is not acceptable.

The vote on the face-to-face was unanimous on keeping the ban.  The
discussion on this issue is now open on the list.


<Prev in Thread] Current Thread [Next in Thread>