[45237] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

RE: Exponent 3 damage spreads...

daemon@ATHENA.MIT.EDU (Kuehn, Ulrich)
Thu Sep 21 15:58:53 2006

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 21 Sep 2006 11:55:01 +0200
In-Reply-To: <E1GQKHx-0002cC-00@medusa01.cs.auckland.ac.nz>
From: "Kuehn, Ulrich" <Ulrich.Kuehn@telekom.de>
To: <pgut001@cs.auckland.ac.nz>, <cryptography@metzdowd.com>

Peter,=20

> From: Peter Gutmann [mailto:pgut001@cs.auckland.ac.nz]=20
>=20
> "Kuehn, Ulrich" <Ulrich.Kuehn@telekom.de> writes:
>=20
> >But the PKCS#1 spec talks about building up the complete padded=20
> >signature input at the verifier, and then comparing it.
>=20
> Uhh, did you actually read the rest of my post?  *One variant=20
> of the PKCS #1 spec, that didn't exist at the time the the=20
> affected other standards were created*, talks about ..., not=20
> "the PKCS #1 spec" as a whole.  I even quoted the original=20
> text of the spec in my message.
>=20

It might have helped if you indicated that the citation was from the =
PKCS#1 standard version 1.5 (?).

Interestingly, I find there (version 1.5) also

	10.2.3 Data decoding

	The data D shall be BER-decoded to give an ASN.1 value of
	type DigestInfo, which shall be separated into a message
	digest MD and a message-digest algorithm identifier. The
	message-digest algorithm identifier shall determine the
	"selected" message-digest algorithm for the next step.

	It is an error if the message-digest algorithm identifier
	does not identify the MD2, MD4 or MD5 message-digest
	algorithm.

Here, any trailing garbage would be included in data D. But does an =
ASN.1 value allow such a thing? I am asking this independently of our =
discussion here.


Anyway, I think we agree on the point that the spec (even version 2.1) =
is in some point unprecise which should be considered a bug, as it can =
lead to implementation flaws. And yes, given what we know, e=3D3 is a =
good candidate for elimination :)

Ulrich

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post