Browse Prior Art Database

Preventing the Million Message Attack on Cryptographic Message Syntax (RFC3218)

IP.com Disclosure Number: IPCOM000006539D
Original Publication Date: 2002-Jan-01
Included in the Prior Art Database: 2002-Jan-14
Document File: 8 page(s) / 16K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

E. Rescorla: AUTHOR

Abstract

This memo describes a strategy for resisting the Million Message Attack.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 21% of the total text.

Network Working Group                                        E. Rescorla

Request for Comments: 3218                                    RTFM, Inc.

Category: Informational                                     January 2002

                Preventing the Million Message Attack on

                      Cryptographic Message Syntax

Status of this Memo

   This memo provides information for the Internet community.  It does

   not specify an Internet standard of any kind.  Distribution of this

   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

Abstract

   This memo describes a strategy for resisting the Million Message

   Attack.

Table of Contents

   1. Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   1

   2. Overview of PKCS-1  . . . . . . . . . . . . . . . . . . . . .   2

   2.1. The Million Message Attack  . . . . . . . . . . . . . . . .   3

   2.2. Applicability . . . . . . . . . . . . . . . . . . . . . . .   3

   2.2.1. Note on Block Cipher Padding  . . . . . . . . . . . . . .   4

   2.3. Countermeasures . . . . . . . . . . . . . . . . . . . . . .   4

   2.3.1. Careful Checking  . . . . . . . . . . . . . . . . . . . .   4

   2.3.2. Random Filling  . . . . . . . . . . . . . . . . . . . . .   5

   2.3.3. OAEP  . . . . . . . . . . . . . . . . . . . . . . . . . .   5

   2.4. Security Considerations . . . . . . . . . . . . . . . . . .   6

   3. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   6

   4. References  . . . . . . . . . . . . . . . . . . . . . . . . .   6

   5. Author's Address. . . . . . . . . . . . . . . . . . . . . . .   6

   6. Full Copyright Statement  . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   When data is encrypted using RSA it must be padded out to the length

   of the modulus -- typically 512 to 2048 bits.  The most popular

   technique for doing this is described in [PKCS-1-v1.5].  However, in

   1998 Bleichenbacher described an adaptive chosen ciphertext attack on

   SSL [MMA].  This attack, called the Million Message Attack, allowed

   the recovery of a single PKCS-1 encrypted block, provided that the

Rescorla                     Informational                      [Page 1]

RFC 3218      Preventing the Million Message Attack on CMS  January 2002

   attacker could convince the receiver to act as a particular kind of

   oracle. (An oracle is a program which answers queries based on

   information unavailable to the requester (in this case the private

   key)).  The MMA is also possible against [CMS].  Mail list agents are

   the most likely CMS implementations to be targets for the MMA, since

   mail list agents are automated servers that automatically respond to

   a large number of messages.  This document describes a strategy for

   resisting such attacks.

2.  Overview of PKCS-1

   The first stage in RSA encryption is to map the message to be

   encrypted (in CMS a symmetric content-encryption key (CEK)) into an

   integer the same length as (but numerically less than) the RSA

   modulus of the recipient's public key (typically somewhere between

   512 and 2048 bits).  PKCS-1 describes the most common procedure for

   this transformation.

   We start with an "encryption block" of the same length as the

   modulus.  The rightmost bytes of the block are set to the message to

   be encrypted.  The fi...