[43897] in cryptography@c2.net mail archive
Re: A note on vendor reaction speed to the e=3 problem
daemon@ATHENA.MIT.EDU (James A. Donald)
Sun Sep 17 11:24:45 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 17 Sep 2006 12:15:47 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: Taral <taralx@gmail.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <fa0147d90609151904k1c882f76r3dff62be3850c0f9@mail.gmail.com>
--
On 9/15/06, David Shaw <dshaw@jabberwocky.com> wrote:
>> GPG was not vulnerable, so no fix was issued.
>> Incidentally, GPG does not attempt to parse the
>> PKCS/ASN.1 data at all. Instead, it generates a new
>> structure during signature verification and compares
>> it to the original.
Taral wrote:
> *That* is the Right Way To Do It. If there are
> variable parts (like hash OID, perhaps), parse them
> out, then regenerate the signature data and compare it
> byte-for-byte with the decrypted signature. Anything
> you don't understand/control that might be variable
> (e.g. options) is eliminated by this process.
>
> I don't think there's anything inherently wrong with
> ASN.1 DER in crypto applications.
If there are no options, you are not using ASN.1 DER.
You are using some random padding bytes that happen to
be equal to ASN.1 DER.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
mMZpx7gaL6S/5STlYWv0A0ZM+HqCZSD2m0ClWjxL
4UR16e+x3Uv/VW8C0Swxx9XMPtH99PEBNIc6BzpkQ
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com