Ryan Sleevi <[email protected]> writes: >Did you just suggest that the timing channels in PKCS#1 v1.5 are easier to >get right than the timing channels of OAEP?
Yup. >The same PKCS#1 v1.5 encryption that's confounding people a decade [1] after >the original attacks [2]? You're confusing two things, an implementation that doesn't even consider timing channels and an implementation that does. For the former, OAEP is just as vulnerable as PKCS #1 v1.5, the reason why Bleichenbacher attacked v1.5 rather than OAEP is because use of the latter is practically nonexistent compared to v1.5, which for starters is used in every web server on the planet. However, once you do decide to defend against timing channels, v1.5 is quite a bit easier to deal with than OAEP. >Implementing OAEP validation in constant time is trivial Care to provide an example of how you'd do this? Peter. [1] NMF. [2] NMF. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
