What are you proposing be done, besides supporting OAEP in new specs or back-porting it to old ones? In order to make people use OAEP, we would need to call in the protocol police.
On Wed, Nov 20, 2013 at 10:49 AM, Russ Housley <[email protected]> wrote: > We have known for a ver long time that PKCS #1 Version 1.5 (see RFC 2313) > is vulnerable to adaptive chosen ciphertext attacks when applied for > encryption purposes. Exploitation reveals the result of a particular RSA > decryption, requires access to an oracle which will respond to a hundreds > of thousands of ciphertexts), which are constructed adaptively in response > to previously-received replies providing information on the successes or > failures of attempted decryption operations. As a result, the attack > appears significantly less feasible to perpetrate in store-and-forward > environments than for interactive ones. > > PKCS #1 Version 2.0 and Version 2.1 (see RFC 3447) include RSA-OAEP to > address this situation, but we have seen very little movement toward > RSA-OAEP. While we are reviewing algorithm choices in light of the > pervasive surveillance situation, I think we should take the time to > address known vulnerabilities like this one. If we don't, then we are > leaving an partially open door for a well funded attacker. > > Russ > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass >
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
