Re: [pkcs11] pkcs11_kem_algs_draft4 comments

[Robert Relyea <rrelyea@redhat.com>]

On 9/22/23 12:33 PM, Jonathan Schulze-Hewett wrote:

Hi Bob,

    Thanks for the comments I'll incorporate or comment on the rest
    later today, but I did have one comment...

Â

pkcs11_kem_algs_draft4:

As an aside, IMO we should at least put a large warning that padding it as described is a âbad ideaâ. Thereâs a reason OAEP exists and NIST is no longer allowing PKCS#1v1.5 padding much less something worse as described in the spec.

I'll likely have a potential draft for this, either here or in the profiles, There's a standard practice that makes pkcs #11v1.5 unwrapping less vulnerable. That code will also include something like, "Use this standard if you must support pkcs#11v1.5 for legacy application, otherwise use OAEP as pkcs #11 1.5 is considered cryptographically dangerous". I've been waiting for the Hubert to publish his Marvin paper (which is now live I believe https://people.redhat.com/~hkario/marvin/ and https://eprint.iacr.org/2023/1441 .

He's presenting his paper tomorrow in the Hague at ESORICS.

I'll likely present that as a separate proposal.