[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Revised PKCS#1 draft available for comment [Was: RE: DH-less encryption mode for IKE]



Ran Canetti wrote earlier this month, excerpting:

> BTW, I'd like to draw attention to the "security considerations" section
> of the draft. It contains a warning that is relevant also to the 
> current (DH-full) encryption modes  of IKE. It reads:
> 
>    4. Security Considerations
> 
>    The public key encryption modes of authentication in IKE require
>    strong public key encryption. In particular, resistance to strong
>    attacks generally known as "chosen ciphertext attacks" (CCA) is
>    necessary.  This is a practical need as well as the basis for a sound
>    analysis of these protocols [BeCaKr].  Recently, an explicit chosen
>    ciphertext attack on the PKCS #1 encryption standard was demonstrated
>    [Ble]. RSA Labs., the authors of PKCS#1, are preparing a new release
>    of PKCS #1 that will include the OAEP format of RSA encryption
> [RSAlabs].
>    It is strongly recommended that IKE specifications and implementations
>    move to that format which was designed to resist CCA and other attacks.
> 
> 
To update the status here, the draft version of PKCS #1 V2.0 is now
available for review on http://www.rsa.com/rsalabs/pubs/PKCS/. Comments are
solicited to pkcs-editor@rsa.com, and those received by Friday, 14 August
will be considered in the final version.  The draft is available now in
MS-Word .doc and Adobe Acrobat .pdf format; preparation of an ASCII version
is currently in progress.

--John Linn, RSA Laboratories