We have known for a ver long time that PKCS #1 Version 1.5 (see RFC 2313) is vulnerable to adaptive chosen ciphertext attacks when applied for encryption purposes. Exploitation reveals the result of a particular RSA decryption, requires access to an oracle which will respond to a hundreds of thousands of ciphertexts), which are constructed adaptively in response to previously-received replies providing information on the successes or failures of attempted decryption operations. As a result, the attack appears significantly less feasible to perpetrate in store-and-forward environments than for interactive ones.
PKCS #1 Version 2.0 and Version 2.1 (see RFC 3447) include RSA-OAEP to address this situation, but we have seen very little movement toward RSA-OAEP. While we are reviewing algorithm choices in light of the pervasive surveillance situation, I think we should take the time to address known vulnerabilities like this one. If we don't, then we are leaving an partially open door for a well funded attacker. Russ _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
