+1 A vulnerability is a vulnerability. Currently foreseeable attacks may seem unwieldy/impractical, but assuming that someone hasn't found/won't find a viable exploitation is optimistic.
R Robin Wilton Technical Outreach Director - Identity and Privacy Internet Society email: [email protected] Phone: +44 705 005 2931 Twitter: @futureidentity On 20 Nov 2013, at 15:49, Russ Housley wrote: > We have known for a ver long time that PKCS #1 Version 1.5 (see RFC 2313) is > vulnerable to adaptive chosen ciphertext attacks when applied for encryption > purposes. Exploitation reveals the result of a particular RSA decryption, > requires access to an oracle which will respond to a hundreds of thousands of > ciphertexts), which are constructed adaptively in response to > previously-received replies providing information on the successes or > failures of attempted decryption operations. As a result, the attack appears > significantly less feasible to perpetrate in store-and-forward environments > than for interactive ones. > > PKCS #1 Version 2.0 and Version 2.1 (see RFC 3447) include RSA-OAEP to > address this situation, but we have seen very little movement toward > RSA-OAEP. While we are reviewing algorithm choices in light of the pervasive > surveillance situation, I think we should take the time to address known > vulnerabilities like this one. If we don't, then we are leaving an partially > open door for a well funded attacker. > > Russ > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
