[cryptography] OAEP for RSA signatures?
thierry.moreau at connotech.com
Mon Jan 28 10:27:32 EST 2013
Peter Gutmann wrote:
> the reason why Bleichenbacher attacked v1.5
> rather than OAEP is because use of the latter is [...]
> compared to v1.5, [...]
Please correct me if I'm wrong. My point is that the highly significant
academic contributions (among which I would put Bleichenbacher attack)
should not be mis-represented by authoritative contributors to this list.
Bleichenbacher attack uses 1) characteristics of the PKCS v1.5 specs
according to which RSA is used in a hybrid cryptosystem, and 2) some
oracle which tells the attacker whether a give ciphertext is well-formed
The Bleichenbacher attack adaptation to OAEP is non-existent today and
would be an even more significant academic result. I must assume that
Bleichenbacher would have published results in this direction if his
research would have given those.
The oracle needed for a practical deployment of the Bleichenbacher
attack may be a timing/side channel attack vulnerability, but it may
also be something like a too detailed error code reported in the "main
channel" of a protocol. So the minefield from pure timing/side channel
attacks versus Bleichenbacher is distinct (and overlapping).
"Protect against side channel attacks" is one motto.
"Spot the oracle" is another one.
I find the latter important these days (that's an opinion, no need to
correct me on this one!).
Use of OAEP is a way to avoid the Bleichenbacher attack oracle
vulnerability, i.e. resist Bleichenbacher even if the oracle still remains.
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
More information about the cryptography