diff options
| author | lloyd <[email protected]> | 2008-12-08 22:46:20 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2008-12-08 22:46:20 +0000 |
| commit | e41b96f756ac44f700ce70b30c57bfc4dd037537 (patch) | |
| tree | 78dd6442719c28446d947a992bc8be36d4603738 | |
| parent | 602b4194729d514e7988c6a0a063c94799283d2b (diff) | |
Add a ref to a paper describing a chosen ciphertext attack on OAEP
since it is relevant to the implementation.
| -rw-r--r-- | src/pk_pad/eme1/eme1.cpp | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/pk_pad/eme1/eme1.cpp b/src/pk_pad/eme1/eme1.cpp index b5f2af6d3..e5db17df6 100644 --- a/src/pk_pad/eme1/eme1.cpp +++ b/src/pk_pad/eme1/eme1.cpp @@ -42,6 +42,14 @@ SecureVector<byte> EME1::pad(const byte in[], u32bit in_length, SecureVector<byte> EME1::unpad(const byte in[], u32bit in_length, u32bit key_length) const { + /* + Must be careful about error messages here; if an attacker can + distinguish them, it is easy to use the differences as an oracle to + find the secret key, as described in "A Chosen Ciphertext Attack on + RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in + PKCS #1 v2.0", James Manger, Crypto 2001 + */ + key_length /= 8; if(in_length > key_length) throw Decoding_Error("Invalid EME1 encoding"); |