Miguel wrote: > I see that PKCS#1v1.5 is still used (as mentioned for instance in the > SSLv3), however I remember some time ago that there was a vulnerabilty > (CERT CA-1998-07)related to this version. One of the solution is OAEP in > PKCS#1 v2.0. > Is NSS vulnerable to this attack? Note: apparently, this attack is not > easy to implement.
There is an attack, known variously as the "million question" attack or the "Bleichenbacher" attack, that involves many chosen ciphertexts to a server (an "oracle") that will respond by telling if the chosen ciphertext decrypted to was a valid PKCS#1 data block or not. After a million or so replies, it is possible to determine the oracle's private key. This is an attack on RSA encryption featuring PKCS#1 v1.5 block formatting, not against RSA signatures featuring PKCS#1 v 1.5, AFAIK. NSS uses PKCS#1 v1.5 encryption in SSL/TLS and in S/MIME encrypted emails. When properly implemented, SSL/TLS is not considered vulnerable to this attack. NSS properly implements SSL/TLS with respect to this attack. SSL/TLS servers completely avoid this vulnerability by not sending any negative response when a bad RSA ciphertext is received, and responding negatively only later when the response does not clearly indicate the outcome of the RSA decryption. S/MIME encrypted emails might be subject to this attack if an S/MIME email recipient was willing to reply to every email he receives, indicating whether it was properly encrypted or not. But we think no human will do that the million or so times needed to compromise his key. So, in practice, for the uses NSS makes of PKCS#1 v1.5, I believe it is not vulnerable to this attack. > Does the OAEP implementation in nss/lib/softoken/rsawrapr.c cover > totally or partially this case? I've seen that Nelson is involved in a > enhancement related to this feature (Bug 158747). I believe the code you found is presently unused. As you noticed, there is a plan to ensure that NSS has a working OAEP implementation. However, since the SSL/TLS protocol definition continues to call for PKCS#1 v1.5, the new OAEP code will have no immediate impact on SSL/TLS. I don't know whether the current versions of the S/MIME standards permit use of OAEP or not. In short, it may be that even when OAEP is available in NSS, it will not immediately be used in common NSS applications. > I suppose that all these issues were already discussed, sorry for > repeating questions. I'm glad you're interested enough to read the code and ask about it. Remember, contributions to NSS are welcome. Hint, Hint. :-) -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
