RFC 3560 (rfc3560) - Page 2 of 18


Use of the RSAES-OAEP Key Transport Algorithm in Cryptographic Message Syntax (CMS)



Alternative Format: Original Text Document



RFC 3560                   RSAES-OAEP in CMS                   July 2003


1.  Introduction

   PKCS #1 Version 1.5 [PKCS#1v1.5] specifies a widely deployed variant
   of the RSA key transport algorithm.  PKCS #1 Version 1.5 key
   transport is vulnerable to adaptive chosen ciphertext attacks,
   especially when it is used to for key management in interactive
   applications.  This attack is often referred to as the "Million
   Message Attack," and it explained in [RSALABS] and [CRYPTO98].
   Exploitation of this vulnerability, which reveals the result of a
   particular RSA decryption, requires access to an oracle which will
   respond to hundreds of thousands of ciphertexts, which are
   constructed adaptively in response to previously received replies
   that provide information on the successes or failures of attempted
   decryption operations.

   The attack is significantly less feasible in store-and-forward
   environments, such as S/MIME.  RFC 3218 [MMA] discussed the
   countermeasures to this attack that are available when PKCS #1
   Version 1.5 key transport is used in conjunction with the
   Cryptographic Message Syntax (CMS) [CMS].

   When PKCS #1 Version 1.5 key transport is applied as an intermediate
   encryption layer within an interactive request-response
   communications environment, exploitation could be more feasible.
   However, Secure Sockets Layer (SSL) [SSL] and Transport Layer
   Security (TLS) [TLS] protocol implementations could include
   countermeasures that detect and prevent the Million Message Attack
   and other chosen-ciphertext attacks.  These countermeasures are
   performed within the protocol level.

   In the interest of long-term security assurance, it is prudent to
   adopt an improved cryptographic technique rather than embedding
   countermeasures within protocols.  To this end, an updated version of
   PKCS #1 has been published.  PKCS #1 Version 2.1 [PKCS#1v2.1]
   supersedes RFC 2313.  It preserves support for the PKCS #1 Version
   1.5 encryption padding format, and it also defines a new one.  To
   resolve the adaptive chosen ciphertext vulnerability, the PKCS #1
   Version 2.1 specifies and recommends use of Optimal Asymmetric
   Encryption Padding (OAEP) for RSA key transport.

   This document specifies the use of RSAES-OAEP key transport algorithm
   in the CMS.  The CMS can be used in either a store-and-forward or an
   interactive request-response environment.








Housley                     Standards Track