RSA padding scheme

Sergey Matveev stargrave at
Mon Jan 23 07:12:14 CET 2012

----- User brian m. carlson on 2012-01-23 00:47:03 wrote:
>> * sending ciphertext with the same "e" to several recipients
>This depends on a small message.  All secure padding schemes avoid this
>problem because the pad the message so it is not small.
>> * no randomness
>All secure padding schemes provide this, as well.
>> * problems with the product of two ciphertexts
>This is not a problem with OpenPGP because the attacker never gets to
>see the value encrypted with RSA because it's the symmetric key.
Hmm, true. Seems really pretty secure in PGP context.

>The existence of PGP predates the invention of OAEP by at least three
>years.  So it really wasn't an option, and PKCS #1 v1.5 is not insecure,
>so there's no reason to break backwards compatibility.
Yeah, agreed.

>Basically.  The issue is that if the padding is incorrect, the message
>is rejected.  So the attacker can't manipulate the message without
>risking corrupting the structure of the method.
I see. Well, thank you very much for the explanation and information!

More information about the Gnupg-users mailing list