On Mon, Jul 02, 2012 at 01:26:20PM -0400, Matthew Green wrote: > > More generally, padding oracle attacks exist against OAEP as well > (Manger's attack). In practice you typically have to construct the > oracle by measuring a timing differential in the decryption process. > That's hard over a network, but if you're directly attached to the > device and have a cycle-accurate timer at your disposal, maybe not. > > These devices are slow!
Indeed they are. And they are part of a class of slow devices that, of course, includes not just so-called OTP tokens that have smartcard functionality, but pure smartcards and their close cousins TPM chips. I am in particular worried about protocols like OpenPGP, which *require* version 1.5 padding and which are often used with these kinds of devices by the security conscious on the theory that security is thereby improved. Where these protocols can't be changed I suppose the only real countermeasure is fairly draconian blinding implemented in software around all the hardware implementations of RSA operations with v1.5 padding. Besides PGP, what other standard, widely-deployed protocols require the use of padding types other than OAEP? Thor _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
