Halvar Flake and Nate Lawson on Alternative Padding Schemes

Nate | September 13th, 2006 | Filed Under: Defenses, Guests, Uncategorized

Halvar Flake asks,

Silly question, but couldn’t the entire thing have been avoided had we:

a) switched to OAEP ?

b) implemented OAEP correctly ?

c) refused to trust anyone who uses a low exponent ?

At least, if we trust the random oracle model, we have something relatively strong in our hands (OAEP). I am consistently surprised that the migration away from other, clearly weaker message padding schemes isn’t happening more quickly.

OAEP is for encryption, not signing/verification. You probably mean PSS?

Although you didn’t suggest this, I want to take this opportunity to point out that in signature verification, nondeterministic padding would be the worst thing to have since the whole point is that the recipient needs to be able to verify it. Replacing the 0xFF’s with random bytes would be a bad idea.

So what about using a random seed, but with a one-way function so the attacker can’t exactly choose the resultant, deterministic but masked message? This is how PSS works. The proof that RSA-PSS is theoretically secure is attractive, whereas nothing can be proven about PKCS#1v1.5 constant padding. However, I’m not sure if that’s balanced out by the cost of changing existing implementations and the possibility of implementation flaws since it’s more complex than fixed padding. Similar to DNSSEC, PSS needs to be supported by nearly all nodes in a network before it has value.

Regarding low exponent RSA (e=2, e=3), it is just as secure as higher exponent RSA if implemented properly. It also has nice performance benefits in the embedded arena. However, it is more “fragile” if not implemented properly and PCs are fast enough the past 10 years that no CA should use low exponents for a root cert.

Viewing 8 Comments

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus