[Top] [All Lists]

Re: AES and PKCS #1 v1.5 Issue

2002-07-17 00:12:39

On Wed, 17 Jul 2002 15:26:38 +0900, "Jim Schaad" wrote: 


There is one large difference between TLS and CMS.  The TLS protocol has
already been modified to deal with the attacks on PKCS#1 v1.5, CMS has
not been modified to deal with these attacks.  Therefore I do not
necessarily think that the TLS conclusion on this is sufficient.

Well strictly speaking there was no modification to the TLS protocol
per se, only how implementations handle PKCS#1 padding failures... er well I 
guess that kind of is a modification to the protocol.

Besides that, I agree with Peter.  The side-channel attacks in CMS have to
be addressed anyway, because people will support PKCS#1 for backwards
interoperability with existing implementations.  There is no problem with 
S/MIME (as you have no random oracle), and the same is most likely true 
for any other CMS based application.

It would be much better to make OAEP a SHOULD and give the appropriate
recommendations to avoid side-channel attacks for the PKCS#1 stuff (and any
of the various other side-channel attacks e.g. timing analysis, Vaudenay
attack on CBC, etc).  There is a lot of infrastructure already heavily
invested in PKCS#1, some of which (like hardware accelerators for example)
will take a while to change.


Dean Povey,             |em: povey(_at_)wedgetail(_dot_)com|JCSI: Java security 
Wedgetail Communications|ph:  +61 7 3023 5139   |uPKI: Embedded/C PKI toolkit
Level 14, 388 Queen St, |fax: +61 7 3864 1282   |uSSL: Embedded/C SSL toolkit
Brisbane, Australia     |www: |XML Security: XML Signatures 

<Prev in Thread] Current Thread [Next in Thread>