----- User brian m. carlson on 2012-01-22 18:54:22 wrote: >GnuPG uses PKCS #1 v1.5. This is specified in RFC 4880. >You cannot choose a different padding scheme and remain in compliance >with the OpenPGP standard. Ah! I see. Thank you! Now I understand.
>If the standard allowed different padding schemes, then all >implementations would have to support multiple padding schemes, which >would be burdensome without providing significantly more security. Hmm, I see. However does it really won't provide much higher security? Just theoretically very interested in all of that. According to Wikipedia, there are several kind of attacks against plain RSA (just some of them): * sending ciphertext with the same "e" to several recipients * no randomness * problems with the product of two ciphertexts So, padding should close all of those problems. As I can see, PKCS #1 1.5 just adds random pad to satisfy length requirements. Is those randomness sufficient to solve above three issues? OAEP, comparing to PKCS #1 1.5, is much more "mature" and looks really cool with dependent on each other X and Y. If PKCS #1 1.5 is sufficient, then OAEP just brings "all-or-nothing" additionally? Or because of RSA's ciphertext "payload" is always pretty random data (symmetric keys), then (probably) bad padding won't deal any damage? _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users