Exponent 3 damage spreads...
James A. Donald
jamesd at echeque.com
Thu Sep 14 00:02:04 EDT 2006
Simon Josefsson wrote:
> Jostein Tveit <josteitv at pvv.ntnu.no> writes:
>
>> Anyone got a test key with a real and a forged signature to test
>> other implementations than OpenSSL?
>
> There are actually two problems to consider...
>
> First, there is the situation by Bleichenbacher at Crypto 06 and
> explained in:
>
> http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html
>
> That uses the fact that implementation doesn't check for data beyond
> the end of the ASN.1 structure. OpenSSL was vulnerable to this,
> GnuTLS was not, see my analysis for GnuTLS on this at:
>
> http://lists.gnupg.org/pipermail/gnutls-dev/2006-September/001202.html
>
> Eric already posted test vectors that trigger this problem.
>
> The second problem is that the "parameters" field can ALSO be used to
> store data that may be used to manipulate the signature value into
> being a cube. To my knowledge, this was discovered by Yutaka Oiwa,
> Kazukuni Kobara, Hajime Watanabe. I didn't attend Crypto 06, but as
> far as I understand from Hal's post, this aspect was not discussed.
> Their analysis isn't public yet, as far as I know.
It seems to me that the evil here is ASN.1, or perhaps standards that
use ASN.1 carelessly and badly.
It is difficult to write code that conforms to ASN.1, easy to get it
wrong, and difficult to say what in fact constitutes conforming to ASN.1
or at least difficult to say what in fact constitutes conforming to
standard written in ASN.1
ASN.1 does the same job as XML, but whereas XML is painfully verbose and
redundant, ASN.1 is crypticly concise.
People do not seem to get XML wrong all that often, while they endlessly
get ASN.1 wrong, and endlessly disagree over what constitutes being right.
Obviously we do need a standard for describing structured data, and we
need a standard that leads to that structured data being expressed
concisely and compactly, but seems to me that ASN.1 is causing a lot of
grief.
What is wrong with it, what alternatives are there to it, or how can it
be fixed?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list