[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Revised PKCS#1 draft available for comment [Was: RE: DH-less encryption mode for IKE]
Ran Canetti wrote earlier this month, excerpting:
> BTW, I'd like to draw attention to the "security considerations" section
> of the draft. It contains a warning that is relevant also to the
> current (DH-full) encryption modes of IKE. It reads:
>
> 4. Security Considerations
>
> The public key encryption modes of authentication in IKE require
> strong public key encryption. In particular, resistance to strong
> attacks generally known as "chosen ciphertext attacks" (CCA) is
> necessary. This is a practical need as well as the basis for a sound
> analysis of these protocols [BeCaKr]. Recently, an explicit chosen
> ciphertext attack on the PKCS #1 encryption standard was demonstrated
> [Ble]. RSA Labs., the authors of PKCS#1, are preparing a new release
> of PKCS #1 that will include the OAEP format of RSA encryption
> [RSAlabs].
> It is strongly recommended that IKE specifications and implementations
> move to that format which was designed to resist CCA and other attacks.
>
>
To update the status here, the draft version of PKCS #1 V2.0 is now
available for review on http://www.rsa.com/rsalabs/pubs/PKCS/. Comments are
solicited to pkcs-editor@rsa.com, and those received by Friday, 14 August
will be considered in the final version. The draft is available now in
MS-Word .doc and Adobe Acrobat .pdf format; preparation of an ASCII version
is currently in progress.
--John Linn, RSA Laboratories