RSA padding scheme

Sergey Matveev stargrave at stargrave.org
Sun Jan 22 20:29:54 CET 2012


----- User brian m. carlson on 2012-01-22 18:54:22 wrote:
>GnuPG uses PKCS #1 v1.5.  This is specified in RFC 4880.
>You cannot choose a different padding scheme and remain in compliance
>with the OpenPGP standard.
Ah! I see. Thank you! Now I understand.

>If the standard allowed different padding schemes, then all
>implementations would have to support multiple padding schemes, which
>would be burdensome without providing significantly more security.
Hmm, I see. However does it really won't provide much higher security?
Just theoretically very interested in all of that. According to
Wikipedia, there are several kind of attacks against plain RSA (just
some of them):
* sending ciphertext with the same "e" to several recipients
* no randomness
* problems with the product of two ciphertexts

So, padding should close all of those problems. As I can see, PKCS #1
1.5 just adds random pad to satisfy length requirements. Is those
randomness sufficient to solve above three issues? OAEP, comparing to
PKCS #1 1.5, is much more "mature" and looks really cool with dependent
on each other X and Y.

If PKCS #1 1.5 is sufficient, then OAEP just brings "all-or-nothing"
additionally? Or because of RSA's ciphertext "payload" is always pretty
random data (symmetric keys), then (probably) bad padding won't deal any
damage?



More information about the Gnupg-users mailing list