[cryptography] Explaining crypto to engineers

Ondrej Mikle ondrej.mikle at nic.cz
Sun Feb 26 14:21:34 EST 2012


On 02/26/2012 04:47 AM, Kevin W. Wall wrote:
> On Sat, Feb 25, 2012 at 2:22 PM, Ondrej Mikle <ondrej.mikle at nic.cz> wrote:
> 
>>> 5) They don't know what padding is, or when/why to use it.
>>
>> I vaguely remember some past attacks on (I think) PKCS#1 padding, it was long
>> time ago (I'm guessing it's fixed in PKCS#1-1.5, right?). What about OAEP? I
>> also have vague notion of a past paper that appeared to poke holes in it (maybe
>> I'm confusing it with something else?)
> 
> IIRC, there were some attacks on PKCS#1 padding with RSA. I generally
> just say if you are using padding with asymmetric encryption, use
> OAEPWithSHA-256AndMGF1Padding. Not sure that is valid with ciphers
> other than RSA though. Is it safe for others too?

I've just found an article about the OAEP padding oracle (that I couldn't recall
before):

http://ritter.vg/blog-mangers_oracle.html

Reportedly there is no major implementation that would suffer from error
side-channel, although there is an interesting experiment with timing side-channel.

Ondrej



More information about the cryptography mailing list