RSA padding scheme

brian m. carlson sandals at
Mon Jan 23 01:47:03 CET 2012

On Sun, Jan 22, 2012 at 11:29:54PM +0400, Sergey Matveev wrote:
> >If the standard allowed different padding schemes, then all
> >implementations would have to support multiple padding schemes, which
> >would be burdensome without providing significantly more security.
> Hmm, I see. However does it really won't provide much higher security?
> Just theoretically very interested in all of that. According to
> Wikipedia, there are several kind of attacks against plain RSA (just
> some of them):
> * sending ciphertext with the same "e" to several recipients

This depends on a small message.  All secure padding schemes avoid this
problem because the pad the message so it is not small.

> * no randomness

All secure padding schemes provide this, as well.

> * problems with the product of two ciphertexts

This is not a problem with OpenPGP because the attacker never gets to
see the value encrypted with RSA because it's the symmetric key.

> So, padding should close all of those problems. As I can see, PKCS #1
> 1.5 just adds random pad to satisfy length requirements. Is those
> randomness sufficient to solve above three issues? OAEP, comparing to
> PKCS #1 1.5, is much more "mature" and looks really cool with dependent
> on each other X and Y.

The existence of PGP predates the invention of OAEP by at least three
years.  So it really wasn't an option, and PKCS #1 v1.5 is not insecure,
so there's no reason to break backwards compatibility.

> If PKCS #1 1.5 is sufficient, then OAEP just brings "all-or-nothing"
> additionally? Or because of RSA's ciphertext "payload" is always pretty
> random data (symmetric keys), then (probably) bad padding won't deal any
> damage?

Basically.  The issue is that if the padding is incorrect, the message
is rejected.  So the attacker can't manipulate the message without
risking corrupting the structure of the method.

brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: </pipermail/attachments/20120123/c55a4811/attachment.pgp>

More information about the Gnupg-users mailing list