William Rowden writes:
> > > PKCS #1 v1.5 -> v2 (OAEP) w/MGF1
> [snip]
> > Given enough answers to the question "is this ciphertext
> > well-formed?" an adversary can recover the plaintext from a
> > ciphertext. While the current best known form of the attack
> > takes 2^20 queries,
>
> I hope the remailer would have different keys by then. :-)
There is nothing explicit preventing the remailer attempting to remail
as many messages as you shove at it other than CPU load; 2^20 is only
1 million messages. There are I think several remailers around today
that have sent that many messages over the course of their remailer
key life (1,000 messages per day is common).
However the trick with Bliechenbacher's PKCS #1 attack is that the
server has to tell you _how_ the decryption failed. You could perhaps
imply failure by lack of message coming out of the remailer, or at
least an attempt to send to some random 8bit string by say a DNS
lookup? But if it just says "failed" you don't gain anything over
brute force.
To get beyond "failed" you'd need to pass the internal checksum which
is 128 bits, and proposed 160 bits here through 3DES encryption with
an unknown key.
> > there are two things to consider
> > 1) a remailer is a pretty good target for a chosen ciphertext
> > kind of attack -- it decrypts pretty much everything coming in
>
> It even logs decryption failures.
Yes but only "Notice: Malformatted message." which as I explain above
doesn't constitute an attack; and besides it doesn't mail it to
anyone, someone you can read the log can read the messages queued in
the remailers pool.
So in summary we could use OAEP, but if there are space efficiency
reasons not to, then we don't need to.
Adam
