Exponent 3 damage spreads...
Kuehn, Ulrich
Ulrich.Kuehn at telekom.de
Thu Sep 21 03:55:08 EDT 2006
Peter,
> From: Peter Gutmann [mailto:pgut001 at cs.auckland.ac.nz]
>
> David Wagner <daw at cs.berkeley.edu> writes:
>
> >(a) Any implementation that doesn't check whether there is
> extra junk
> >left over after the hash digest isn't implementing the PKCS#1.5
> >standard correctly. That's a bug in the implementation.
>
> No, it's a bug in the spec:
>
> >9.4 Encryption-block parsing
> >
[...]
>
> Nothing in there about trailing garbage.
>
Actually, this part is about _encryption_, we are talking here about signature padding. But the PKCS#1 spec talks about building up the complete padded signature input at the verifier, and then comparing it. However, there is a note saying that alternatively one could parse the padding without saying how this would be done. The reason to use such a thing is given as saving intermediate memory. Oh well!
So in fact what a lot of implementors do, parsing the padding, is not specified in sufficient detail to get it right. I would consider this buggy implementation resulting from buggy specification.
Regards,
Ulrich
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list