[43897] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: A note on vendor reaction speed to the e=3 problem

daemon@ATHENA.MIT.EDU (James A. Donald)
Sun Sep 17 11:24:45 2006

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 17 Sep 2006 12:15:47 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: Taral <taralx@gmail.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <fa0147d90609151904k1c882f76r3dff62be3850c0f9@mail.gmail.com>

     --
On 9/15/06, David Shaw <dshaw@jabberwocky.com> wrote:
 >> GPG was not vulnerable, so no fix was issued.
 >> Incidentally, GPG does not attempt to parse the
 >> PKCS/ASN.1 data at all.  Instead, it generates a new
 >> structure during signature verification and compares
 >> it to the original.

Taral wrote:
 > *That* is the Right Way To Do It. If there are
 > variable parts (like hash OID, perhaps), parse them
 > out, then regenerate the signature data and compare it
 > byte-for-byte with the decrypted signature. Anything
 > you don't understand/control that might be variable
 > (e.g. options) is eliminated by this process.
 >
 > I don't think there's anything inherently wrong with
 > ASN.1 DER in crypto applications.

If there are no options, you are not using ASN.1 DER.
You are using some random padding bytes that happen to
be equal to ASN.1 DER.

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      mMZpx7gaL6S/5STlYWv0A0ZM+HqCZSD2m0ClWjxL
      4UR16e+x3Uv/VW8C0Swxx9XMPtH99PEBNIc6BzpkQ

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post