In our current system we use an encryption solution based on RSA with OAEP padding. Key size is optional but default 2048. What is the general strength of RSA with OAEP? Are there know attacks that can break it, their complexity? Are people using it and relying on it as secure enough?
Thanks
OAEP is likely to be secure as long as the underlying primitives - RSA using modular exponentiation and the hash function to generate the padding - are considered secure. So the OAEP padding in itself should not pose any problems.
That said, we don't know if your protocol is secure, nor if the RSA / OAEP implementation is secure. It could for instance be vulnerable to timing or other side channel attacks.
Currently it seems that OAEP is your best bet for performing RSA encryption. Yes, OAEP is standardized and well used. RSA encryption with PKCS#1 v1.5 padding is still used, arguably too much.
As the RFC encapsulating the PKCS#1 standard specifies:
In addition, the running time for Inv is approximately t^2, where t is the running time of the adversary. The consequence is that we cannot exclude the possibility that attacking RSAES-OAEP is considerably easier than inverting RSA for concrete parameters. Still, the existence of a security proof provides some assurance that the RSAES-OAEP construction is sounder than ad hoc constructions such as RSAES-PKCS1-v1_5.
Hybrid encryption schemes based on the RSA-KEM key encapsulation paradigm offer tight proofs of security directly applicable to concrete parameters; see [30] for discussion. Future versions of PKCS #1 may specify schemes based on this paradigm.
This was based on the following:
E. Fujisaki, T. Okamoto, D. Pointcheval and J. Stern. RSA-OAEP is Secure under the RSA Assumption. In J. Kilian, editor, Advances in Cryptology - Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pp. 260 - 274. Springer Verlag, 2001.
As specified in the RFC, RSA-KEM could also be an option. RSA-KEM couples RSA encryption with a (Key Based) Key Derivation Function and symmetric encryption. RSA-KEM may be easier to implement securely. Not many libraries offer direct support for RSA-KEM though (or KDF's for that matter) and it will require some overhead.
