On 02/26/2012 04:47 AM, Kevin W. Wall wrote: > On Sat, Feb 25, 2012 at 2:22 PM, Ondrej Mikle <[email protected]> wrote: > >>> 5) They don't know what padding is, or when/why to use it. >> >> I vaguely remember some past attacks on (I think) PKCS#1 padding, it was long >> time ago (I'm guessing it's fixed in PKCS#1-1.5, right?). What about OAEP? I >> also have vague notion of a past paper that appeared to poke holes in it >> (maybe >> I'm confusing it with something else?) > > IIRC, there were some attacks on PKCS#1 padding with RSA. I generally > just say if you are using padding with asymmetric encryption, use > OAEPWithSHA-256AndMGF1Padding. Not sure that is valid with ciphers > other than RSA though. Is it safe for others too?
I've just found an article about the OAEP padding oracle (that I couldn't recall before): http://ritter.vg/blog-mangers_oracle.html Reportedly there is no major implementation that would suffer from error side-channel, although there is an interesting experiment with timing side-channel. Ondrej _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
