[saag] RSA-OAEP

Russ Housley <housley@vigilsec.com> Wed, 04 December 2013 10:41 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id B040E1AE253 for <saag@ietfa.amsl.com>; Wed, 4 Dec 2013 02:41:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Xm2AoR90lcMo for <saag@ietfa.amsl.com>; Wed, 4 Dec 2013 02:41:52 -0800 (PST)
Received: from odin.smetech.net (mail.smetech.net []) by ietfa.amsl.com (Postfix) with ESMTP id E6C151AE0ED for <saag@ietf.org>; Wed, 4 Dec 2013 02:41:26 -0800 (PST)
Received: from localhost (unknown []) by odin.smetech.net (Postfix) with ESMTP id DFA2EF24092 for <saag@ietf.org>; Wed, 4 Dec 2013 05:41:13 -0500 (EST)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([]) by localhost (ronin.smeinc.net []) (amavisd-new, port 10024) with ESMTP id sGhBZu01-JNR for <saag@ietf.org>; Wed, 4 Dec 2013 05:40:52 -0500 (EST)
Received: from v150.vpn.iad.rg.net (v150.vpn.iad.rg.net []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 07057F24085 for <saag@ietf.org>; Wed, 4 Dec 2013 05:40:50 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Wed, 4 Dec 2013 05:40:33 -0500
Message-Id: <68E9129E-F1A4-4EAB-8E5F-5DA9F3EAE92D@vigilsec.com>
To: IETF SAAG <saag@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1085)
X-Mailer: Apple Mail (2.1085)
Subject: [saag] RSA-OAEP
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2013 10:41:58 -0000

We have known for a very long time that PKCS #1 Version 1.5 (see RFC 2313) key transport is vulnerable to adaptive chosen ciphertext attacks.  Exploitation reveals the result of a particular RSA decryption, requires access to an oracle which will respond to a hundreds of thousands of ciphertexts, which are constructed adaptively in response to previously-received replies providing information on the successes or failures of attempted decryption operations.  As a result, the attack appears significantly less feasible in store-and-forward environments than interactive ones.

PKCS #1 Version 2.0 and Version 2.1 (see RFC 3447) include RSA-OAEP to address this situation, but we have seen very little movement toward RSA-OAEP.  While we are reviewing algorithm choices in light of the pervasive surveillance situation, I think we should take the time to address known vulnerabilities like this one.  If we don't, then we are leaving an partially open door for a well funded attacker.