- From: Travis Mayberry <travism@ccs.neu.edu>
- Date: Tue, 18 Sep 2012 13:27:39 -0400
- To: public-webcrypto-comments@w3.org
Received on Wednesday, 19 September 2012 09:12:59 UTC
I am curious as to why the proposed API includes PKCS#1v1.5 as a padding mode for RSA. It has been known since 1998 (due to Bleichenbacher (http://www.springerlink.com/content/j5758n240017h867/) and improved later (http://www.iacr.org/archive/eurocrypt2000/1807/18070374-new.pdf)) to be vulnerable to padding oracle attacks. For some time it was questionable whether these attacks were useful in real world situations but this year at CRYPTO there was a paper where another improved version of the attack was used to break cryptographic tokens which relied on PKCS#1v1.5 (http://hal.inria.fr/docs/00/70/47/90/PDF/RR-7944.pdf). Considering this is a new API not burdened with the shackles of backward compatibility, why not simply go with OAEP which is provably secure? ~Travis Mayberry
Received on Wednesday, 19 September 2012 09:12:59 UTC