I do not know of any place where RSA-OAEP has been called out as the mandatory to implement algorithm, but there are many places where PKCS#1 v1.5 still enjoys this status. I suggest we make RSA-OAEP the mandatory to implement algorithm in our specifications.
Russ On Nov 20, 2013, at 11:09 AM, Richard Barnes wrote: > What are you proposing be done, besides supporting OAEP in new specs or > back-porting it to old ones? In order to make people use OAEP, we would need > to call in the protocol police. > > > On Wed, Nov 20, 2013 at 10:49 AM, Russ Housley <[email protected]> wrote: > We have known for a ver long time that PKCS #1 Version 1.5 (see RFC 2313) is > vulnerable to adaptive chosen ciphertext attacks when applied for encryption > purposes. Exploitation reveals the result of a particular RSA decryption, > requires access to an oracle which will respond to a hundreds of thousands of > ciphertexts), which are constructed adaptively in response to > previously-received replies providing information on the successes or > failures of attempted decryption operations. As a result, the attack appears > significantly less feasible to perpetrate in store-and-forward environments > than for interactive ones. > > PKCS #1 Version 2.0 and Version 2.1 (see RFC 3447) include RSA-OAEP to > address this situation, but we have seen very little movement toward > RSA-OAEP. While we are reviewing algorithm choices in light of the pervasive > surveillance situation, I think we should take the time to address known > vulnerabilities like this one. If we don't, then we are leaving an partially > open door for a well funded attacker. > > Russ > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass > > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
