"ISAKMP" flaws?
Florian Weimer
fw at deneb.enyo.de
Fri Nov 18 16:43:23 EST 2005
* William Allen Simpson:
> Florian Weimer wrote:
>> Photuris uses a baroque variable-length integer encoding similar to
>> that of OpenPGP, a clear warning sign. 8-/
>
> On the contrary:
>
> + a VERY SIMPLE "variable-length integer encoding", where every number
> has EXACTLY ONE possible representation (unlike ASN.1 which even the
> spell-checker wants to replace with assinine).
>
> + "similar to that of OpenPGP", the most common Open Source security
> software of the era, where the code could be easily reused (as it
> was in the initial implementation).
Even back then, the integer encoding was considered to be a mistake.
| I concur completely. I once got so fed up with this habit that I
| tromped around the office singing, "Every bit is sacred / Every bit
| is great / When a bit is wasted / Phil gets quite irate."
|
| Consider this to be one of the prime things to correct. Personally,
| I think that numbers should never (well, hardly ever) be smaller
| than 32 bits.
(Jon Callas, 1997-08-08)
>> The protocol also contains
>> nested containers which may specify conflicting lengths. This is one
>> common source of parser bugs.
>>
> On the contrary, where are internal nested containers in the protocol?
Variable-length integers within other fields, for example. You can't
avoid this phenomenon in its entirety, of course, without sacrificing
some of the advantages of a binary encoding.
> Again, the ISAKMP flaws were foreseeable and avoidable. And Photuris
> was written before the existence of ISAKMP.
I like ISAKMP as much as the next guy, but somehow I doubt that
simpler protocols necessarily lead to more robust software. Sure,
less effort is needed to implement them, but writing robust code still
comes at an extra cost. *sigh*
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list