"ISAKMP" flaws?
Ian G
iang at systemics.com
Fri Nov 18 15:48:14 EST 2005
Florian Weimer wrote:
> Photuris uses a baroque variable-length integer encoding similar to
> that of OpenPGP, a clear warning sign. 8-/
Actually, if one variable-length integer
encoding is used instead of 5 other formats
in all sorts of strange places, I'd say this
is a good sign. Although I didn't originally
like the variable-length integer I've seen
used, I've come to appreciate how much simpler
and thus much more secure it makes the code.
> The protocol also contains
> nested containers which may specify conflicting lengths. This is one
> common source of parser bugs.
Containers for things are inevitable. I've
found they should be encapsulated in their
own protected container, so that bugs do not
cross boundaries. Yes, this makes for redundancy
and possibly conflict, but wasn't it said that
in security programming, we should be precise
in what we write out and precise in what we
accept? Any conflict - reject it.
iang
PS: I think it was Dan Bernstein who said that,
in opposition to the aphorism "be gentle in what
you accept?"
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list