[7376] in cryptography@c2.net mail archive
RE: outlook certs - solved
daemon@ATHENA.MIT.EDU (Markku-Juhani Saarinen)
Thu Jun 22 23:56:39 2000
Date: Thu, 22 Jun 2000 09:39:30 +0300 (EET DST)
From: Markku-Juhani Saarinen <mjos@cc.jyu.fi>
To: mattt@exchange.microsoft.com
Cc: cryptography@c2.net
Message-ID: <Pine.GSO.4.10.10006220908220.24062-100000@tukki>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT
Matt:
> I now believe you've decoded the below incorrectly because the leading
> bit is set, making this a signed number which may have made some of your
> tools croak. Decoding by hand, I get the following mod/exp:
Are you saying that under some conditions Microsoft Outlook generates a
x.509 cert with a negative modulus that can only be docoded "correctly"
with the other microsoft tools ?
If this is correct, the security implications are horrific as different
x.509 implementations interpret the INTEGER value in a different way. For
example, if an identity certificate generated by a Microsoft Outlook is
used on a service with a bug-free ASN.1 implementation, identity can be
easily faked (as demonstrated by my factorization of "bug-free" n) !
> note that the complement of DF = 20, AA = 55, which begins to look a lot
> like the number you 'decoded' below.
The number was decoded correctly, according to the ASN.1 standard. This
must be a bug in the microsoft implementation.
If you would have cared to check the thread you would have seen that
I and several other people pointed out that this number is a negative
one. Out tools didn't "croak", they simply said what is in there
according to ASN.1.
We'll have to do further research on this.
> BTW, I've had our research team check the above modulus (DFAA...) for
> trivial factors. We found no prime divisors below 10 million.
I checked with ECM; the probability of prime divisors below 10^25 in
"DFAA.." is small.
- mj
Markku-Juhani O. Saarinen <mjos@jyu.fi> University of Jyväskylä, Finland
