aboutsummaryrefslogtreecommitdiffstats
path: root/src/pk_pad/eme1
diff options
context:
space:
mode:
authorlloyd <[email protected]>2008-12-08 22:46:20 +0000
committerlloyd <[email protected]>2008-12-08 22:46:20 +0000
commite41b96f756ac44f700ce70b30c57bfc4dd037537 (patch)
tree78dd6442719c28446d947a992bc8be36d4603738 /src/pk_pad/eme1
parent602b4194729d514e7988c6a0a063c94799283d2b (diff)
Add a ref to a paper describing a chosen ciphertext attack on OAEP
since it is relevant to the implementation.
Diffstat (limited to 'src/pk_pad/eme1')
-rw-r--r--src/pk_pad/eme1/eme1.cpp8
1 files changed, 8 insertions, 0 deletions
diff --git a/src/pk_pad/eme1/eme1.cpp b/src/pk_pad/eme1/eme1.cpp
index b5f2af6d3..e5db17df6 100644
--- a/src/pk_pad/eme1/eme1.cpp
+++ b/src/pk_pad/eme1/eme1.cpp
@@ -42,6 +42,14 @@ SecureVector<byte> EME1::pad(const byte in[], u32bit in_length,
SecureVector<byte> EME1::unpad(const byte in[], u32bit in_length,
u32bit key_length) const
{
+ /*
+ Must be careful about error messages here; if an attacker can
+ distinguish them, it is easy to use the differences as an oracle to
+ find the secret key, as described in "A Chosen Ciphertext Attack on
+ RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in
+ PKCS #1 v2.0", James Manger, Crypto 2001
+ */
+
key_length /= 8;
if(in_length > key_length)
throw Decoding_Error("Invalid EME1 encoding");