[43707] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: A note on vendor reaction speed to the e=3 problem

daemon@ATHENA.MIT.EDU (Taral)
Sat Sep 16 15:33:34 2006

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 15 Sep 2006 21:04:48 -0500
From: Taral <taralx@gmail.com>
To: cryptography@metzdowd.com
In-Reply-To: <20060915134816.GA23796@jabberwocky.com>

On 9/15/06, David Shaw <dshaw@jabberwocky.com> wrote:
> GPG was not vulnerable, so no fix was issued.  Incidentally, GPG does
> not attempt to parse the PKCS/ASN.1 data at all.  Instead, it
> generates a new structure during signature verification and compares
> it to the original.

*That* is the Right Way To Do It. If there are variable parts (like
hash OID, perhaps), parse them out, then regenerate the signature data
and compare it byte-for-byte with the decrypted signature. Anything
you don't understand/control that might be variable (e.g. options) is
eliminated by this process.

I don't think there's anything inherently wrong with ASN.1 DER in
crypto applications.

--=20
Taral <taralx@gmail.com>
"You can't prove anything."
    -- G=F6del's Incompetence Theorem

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post