On Thu, Feb 23, 2006, Kyle Hamilton wrote: > Which version of PKCS#1 does OpenSSL use? v1 had a problem in its > (lack of) padding that would allow private key leakage, at least > according to Wikipedia: > > In 1998, Daniel Bleichenbacher described the first practical adaptive > chosen ciphertext attack, against RSA-encrypted messages using the > PKCS #1 v1 padding scheme (a padding scheme randomizes and adds > structure to an RSA-encrypted message, so it is possible to determine > whether a decrypted message is valid.) Due to flaws with the PKCS #1 > scheme, Bleichenbacher was able to mount a practical attack against > RSA implementations of the Secure Socket Layer protocol, and to > recover session keys. As a result of this work, cryptographers now > recommend the use of provably secure padding schemes such as Optimal > Asymmetric Encryption Padding, and RSA Laboratories has released new > versions of PKCS #1 that are not vulnerable to these attacks. > > (Wikipedia article RSA, heading 4.5 (Adaptive Chosen Ciphertext > Attacks), accessed 2006Feb23) >
OpenSSL can use several PKCS#1 schemes. The actual type referred to in that attack is RSAES-PKCS1-V1_5 and the attack wont reveal the RSA private key in use rather individual session keys under certain specific circumstances. SSL/TLS uses that scheme in all its RSA key exchange ciphersuites so it couldn't just be changed to OAEP. Instead various countermeasures have been implemented in OpenSSL and other SSL/TLS libraries against that attack. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
