[43893] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

RE: Why the exponent 3 error happened:

daemon@ATHENA.MIT.EDU (Whyte, William)
Sun Sep 17 11:23:24 2006

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 16 Sep 2006 18:43:10 -0400
From: "Whyte, William" <WWhyte@ntru.com>
To: "James A. Donald" <jamesd@echeque.com>,
	"Ben Laurie" <ben@algroup.co.uk>
Cc: "Cryptography" <cryptography@metzdowd.com>

>  > > > This is incorrect. The simple form of the attack
>  > > > is exactly as described above - implementations
>  > > > ignore extraneous data after the hash. This
>  > > > extraneous data is _not_ part of the ASN.1 data.
>=20
> James A. Donald wrote:
>  > > But it is only extraneous because ASN.1 *says* it is
>  > > extraneous.

No. It's not the ASN.1 that says it's extraneous, it's the
PKCS#1 standard. The problem is that the PKCS#1 standard
didn't require that the implementation check for the
correct number of ff bytes that precede the BER-encoded
hash. The attack would still be possible if the hash
wasn't preceded by the BER-encoded header.

William

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post