RFC 3560 (rfc3560) - Page 2 of 18
Use of the RSAES-OAEP Key Transport Algorithm in Cryptographic Message Syntax (CMS)
Alternative Format: Original Text Document
RFC 3560 RSAES-OAEP in CMS July 2003
1. Introduction
PKCS #1 Version 1.5 [PKCS#1v1.5] specifies a widely deployed variant
of the RSA key transport algorithm. PKCS #1 Version 1.5 key
transport is vulnerable to adaptive chosen ciphertext attacks,
especially when it is used to for key management in interactive
applications. This attack is often referred to as the "Million
Message Attack," and it explained in [RSALABS] and [CRYPTO98].
Exploitation of this vulnerability, which reveals the result of a
particular RSA decryption, requires access to an oracle which will
respond to hundreds of thousands of ciphertexts, which are
constructed adaptively in response to previously received replies
that provide information on the successes or failures of attempted
decryption operations.
The attack is significantly less feasible in store-and-forward
environments, such as S/MIME. RFC 3218 [MMA] discussed the
countermeasures to this attack that are available when PKCS #1
Version 1.5 key transport is used in conjunction with the
Cryptographic Message Syntax (CMS) [CMS].
When PKCS #1 Version 1.5 key transport is applied as an intermediate
encryption layer within an interactive request-response
communications environment, exploitation could be more feasible.
However, Secure Sockets Layer (SSL) [SSL] and Transport Layer
Security (TLS) [TLS] protocol implementations could include
countermeasures that detect and prevent the Million Message Attack
and other chosen-ciphertext attacks. These countermeasures are
performed within the protocol level.
In the interest of long-term security assurance, it is prudent to
adopt an improved cryptographic technique rather than embedding
countermeasures within protocols. To this end, an updated version of
PKCS #1 has been published. PKCS #1 Version 2.1 [PKCS#1v2.1]
supersedes RFC 2313. It preserves support for the PKCS #1 Version
1.5 encryption padding format, and it also defines a new one. To
resolve the adaptive chosen ciphertext vulnerability, the PKCS #1
Version 2.1 specifies and recommends use of Optimal Asymmetric
Encryption Padding (OAEP) for RSA key transport.
This document specifies the use of RSAES-OAEP key transport algorithm
in the CMS. The CMS can be used in either a store-and-forward or an
interactive request-response environment.
Housley Standards Track