[cryptography] Explaining crypto to engineers

Ondrej Mikle ondrej.mikle at nic.cz
Sun Feb 26 14:21:34 EST 2012

On 02/26/2012 04:47 AM, Kevin W. Wall wrote:
> On Sat, Feb 25, 2012 at 2:22 PM, Ondrej Mikle <ondrej.mikle at nic.cz> wrote:
>>> 5) They don't know what padding is, or when/why to use it.
>> I vaguely remember some past attacks on (I think) PKCS#1 padding, it was long
>> time ago (I'm guessing it's fixed in PKCS#1-1.5, right?). What about OAEP? I
>> also have vague notion of a past paper that appeared to poke holes in it (maybe
>> I'm confusing it with something else?)
> IIRC, there were some attacks on PKCS#1 padding with RSA. I generally
> just say if you are using padding with asymmetric encryption, use
> OAEPWithSHA-256AndMGF1Padding. Not sure that is valid with ciphers
> other than RSA though. Is it safe for others too?

I've just found an article about the OAEP padding oracle (that I couldn't recall


Reportedly there is no major implementation that would suffer from error
side-channel, although there is an interesting experiment with timing side-channel.


More information about the cryptography mailing list