Proposition: include a new Section 6.1.3
6.1.3 Backwards Compatibility Attacks
Usage of state-of-the-art encryption algorithms (RSA-OAEP, AES-GCM) can become insecure when the adversary can force the server to process the eavesdropped ciphertext with legacy algorithms like RSA-PKCS#1 v1.5 or AES-CBC~\cite{NDSS}:
1. He can break security of an AES-GCM ciphertext if he is able to force the server to process the ciphertext with AES-CBC and the same symmetric key.
2. He can decrypt an RSA-OAEP ciphertext if he is able to force the server to process the ciphertext with RSA-PKCS#1 v1.5 and the same asymmetric key.
3. He can forge valid server signatures if the server decrypts RSA-PKCS#1 v1.5 ciphertexts and the signatures are computed with the same asymmetric key pair.
Our recommendations:
1. Allowing to use RSA-PKCS#1 v1.5 and AES-CBC is dangerous. If possible in your application, restrict the usage to only chosen-ciphertext secure algorithms (RSA-OAEP, AES-GCM). In that case, documents containing RSA-PKCS#1 v1.5 and AES-CBC ciphertexts must be rejected without decryption.
2. It is a bad cryptographic practice to apply the same cryptographic keys for different cryptographic tasks and algorithms. We recommend to enforce different keys for public key encryption and signature processing (ciphertext decryption and signature creation).