[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: issues with IKE that need resolution
Dan,
I would very much like to see a recommendation
(e.g. in the security considerations section)
about using the OAEP mode now supported by PKCS.
See the attached note that I sent a while ago.
Hugo
From hugo@ee.technion.ac.il Mon Sep 14 22:41:05 1998
Date: Tue, 18 Aug 1998 18:30:58 +0300 (IDT)
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
To: ipsec@tis.com
Subject: encryption mode and CCA attacks
Now that I am into IKE stuff:
There is one issue that I wanted to raise for long time for those
implementing the encryption mode(s).
If you read our internet-draft
draft-ietf-ipsec-dhless-enc-mode-00.txt
you'll see the following pargraph in the security considerations:
The public key encryption modes of authentication in IKE require
strong public key encryption. In particular, resistance to strong
attacks generally known as "chosen ciphertext attacks" (CCA) is
necessary. This is a practical need as well as the basis for a sound
analysis of these protocols [BeCaKr]. Recently, an explicit chosen
ciphertext attack on the PKCS #1 encryption standard was demonstrated
[Ble]. RSA Labs., the authors of PKCS#1, are preparing a new release
of PKCS #1 that will include the OAEP format of RSA encryption [RSAlabs].
It is strongly recommended that IKE specifications and implementations
move to that format which was designed to resist CCA and other attacks.
This recommendation should be followed by the implementers of the current
IKE encryption modes that use PKCS RSA encryption (and not only by those
interested in a DH-less mode as proposed in the mentioned draft).
Hugo
References: