Am Monday 22 November 2010 schrieb Niels Möller: > My understanding is that the pkcs#1 v1.5 padding is a much more severe > problem for encryption than for signing, mostly related to chosen > ciphertext attacks. > > But I'm not a cryptologist. How important is it to obsolete v1.5 padding > for signatures? What attacks are there? There are no attacks. It's purely an extra-safety measure. PSS has two advantages: First, it provides a security "proof" under the asumption that the RSA problem itself is hard and the random oracle model. Roughly speaking, PKCS #1 1.5 padding has no known flaws, but you can't proove that it doesn't have flaws - with PSS, you can. The other thing is that PSS adds randomization - this often makes implementation flaws harder to exploit (for example fault-based attacks). So there is no high pressure on implementing PSS, but it is a useful extra security measure on the long term. -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail: hanno%hboeck.de@localhost http://schokokeks.org - professional webhosting
Attachment:
signature.asc
Description: This is a digitally signed message part.