I've been hearing a lot of scare talk about PKCS1 padding attacks.
Is PKCS1 v1.5 safe in signatures as it is practically transporting only message digest?
I'm using it in one of my applications so i'd like to know if it is safe to keep using it.
Asked
Active
Viewed 912 times
2 Answers
2
You're fine.
There are several different padding methods listed in PKCS v1.5. The method that has active attacks is actually a padding used during public key encryption - that is, it's used to encode the plaintext message before handing it off to the RSA public function. We don't use that method to sign messages.
For that matter, the attack model used against that PKCS v1.5 encryption padding doesn't apply to a signature method. In that attack model, the attacker generates bogus ciphertexts, and send them to the holder of the private key and see what it does with them, and uses that to be able to figure out the decryption of a specific ciphertext. This doesn't apply to signature methods, as the holder of the private key just signs messages, and performs any necessary padding itself.
poncho
- 147,019
- 11
- 229
- 360
1
Yes, you're still secure. The current RSA PKCS#1 v1.5 signature scheme is still thought to be secure. So the following information in RFC 3447 section 8.2, describing PKCS#1 v2.1 still applies:
Moreover, while no attack is known against the EMSA-PKCS-v1_5 encoding method, a gradual transition to EMSA-PSS is recommended as a precaution against future developments.
Or, to put it more formally, the known Bleichenbacher attack is on RSAES-PKCS1-v1_5, not on RSASSA-PKCS1-v1_5 with EMSA-PKCS1-v1_5. Here RSAES is the RSA Encryption Scheme and RSASSA is the RSA Signature Scheme (with Appendix).
Or, to put it less formally, there aren't any attacks that invalidate PKCS#1 v1.5 for signature generation, but using PSS should be preferred. You must use OAEP for RSA encryption unless you are sure the known attacks on PKCS#1 v1.5 for encryption don't apply.
Maarten Bodewes
- 92,551
- 13
- 161
- 313