8

Is there a way to calculate how much safer RSA-OAEP is compared to RSA with PKCS#1 v1.5 compliant padding? Or is there a good rule of thumb?

yyyyyyy
  • 12,261
  • 4
  • 48
  • 68
Meltem Coroz
  • 83
  • 1
  • 1
  • 3

1 Answers1

14

RSA PKCS#1 is still secure if padding oracles do not apply. If padding oracles apply, for instance when a server verifies the padding after decryption and somehow leaks the result (through an error message or by leaking information about the the verification time) then OAEP is much more secure.

Note that in principle OAEP can also leak information through timing attacks, so just using OAEP is no panacea.

[EDIT] Another problem with PKCS#1 v1.5 is that it allows for a relatively small amount of randomness - 8 bytes in the range 1..255 - to be used for larger messages. This can be avoided by using hybrid cryptography (where a symmetric cipher actually encrypts the message) or simply by using smaller messages. However, the MGF1 function of OAEP should be better protected against abuse.

Furthermore, OAEP also has a security proof that the padding should be secure as long as RSA is deemed secure. Although there are no known attacks on PKSC#1 - besides the aforementioned padding oracle attack - the algorithm doesn't have a formal security proof so it is possible that attacks do exist.

These kind of things cannot be easily quantified. RSA has about no security if PKCS#1 padding oracles apply. The lack of security proof may lead to an attack in the future, but this is - very likely - independent of the key size. Neither calculations nor rules-of-thumb apply. You should rather take a good look at your use cases, threat-model and attack vectors.

Or just use OAEP. Many libraries support OAEP because PKCS#1 is deemed less secure. Using RSA-KEM would also be a good option if that's available to you (and it is relatively easy to create if you have raw RSA available).

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323