I\'ve just read the RFC 4880 specs and there is nothing about OAEP; only PKCS#1

Question

I've just read the RFC 4880 specs and there is nothing about OAEP; only PKCS#1 v1.5. If it is true that the OpenPGP-standard only supports the PKCS#1 v1.5 padding-scheme, is this a security issue?

Usually it's said that you should not use PKCS#1 v1.5 anymore or just for legacy reasons because it allows padding-oracle-attacks. However, OpenPGP/GnuPG is considered secure. So, are the padding-oracle-attacks feasible?

(I think they shouldn't be possible, because the recipient doesn't send any information back to the sender; but I'm not an expert, so I'm asking here)

Some second thoughts: Padding-oracle-attacks should not be possible if you verify the signature of the sender and only decrypt the message if the sender is valid or am I wrong here?

Explanation / Answer

As you may have noticed, section 11.3 of RFC4880 enumerates the legal packet compositions. In practice, you will observe that the signed payload is embedded in the encrypted message, so you can only check the signature after decrypting the message.

Regarding other matters, your statement "OpenPGP is considered secure" is wrong under some circumstances. OpenPGP is, regarding many aspects, not secure against oracle attacks (mainly because of the lack of authenticated encryption scheme) and should probably not be used in automated decryption procedures unless you are a crypto expert knowing how to appropriately mitigate all of the possible information leaks. This statement is supported by many OpenPGP developers and this risk is clearly documented by some of them (e.g. End-to-end team).

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.