[43893] in cryptography@c2.net mail archive
RE: Why the exponent 3 error happened:
daemon@ATHENA.MIT.EDU (Whyte, William)
Sun Sep 17 11:23:24 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 16 Sep 2006 18:43:10 -0400
From: "Whyte, William" <WWhyte@ntru.com>
To: "James A. Donald" <jamesd@echeque.com>,
"Ben Laurie" <ben@algroup.co.uk>
Cc: "Cryptography" <cryptography@metzdowd.com>
> > > > This is incorrect. The simple form of the attack
> > > > is exactly as described above - implementations
> > > > ignore extraneous data after the hash. This
> > > > extraneous data is _not_ part of the ASN.1 data.
>=20
> James A. Donald wrote:
> > > But it is only extraneous because ASN.1 *says* it is
> > > extraneous.
No. It's not the ASN.1 that says it's extraneous, it's the
PKCS#1 standard. The problem is that the PKCS#1 standard
didn't require that the implementation check for the
correct number of ff bytes that precede the BER-encoded
hash. The attack would still be possible if the hash
wasn't preceded by the BER-encoded header.
William
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com