Why the exponent 3 error happened:

Ben Laurie ben at algroup.co.uk
Fri Sep 15 13:34:45 EDT 2006 

James A. Donald wrote:
>     --
> Greg Rose wrote:
>> At 19:02  +1000 2006/09/14, James A. Donald wrote:
>>> Suppose the padding was simply
>>>
>>> 010101010101010 ... 10101010101010000 hash
>>>
>>> with all leading zeros in the hash omitted, and four
>>> zero bits showing where the actual hash begins.
>>>
>>> Then the error would never have been possible.
> 
> James A. Donald:
>> I beg to differ. A programmer who didn't understand
>> the significance of crypto primitives would (as many
>> did) just search for the end of the padding to locate
>> the beginning of the hash, and check that the next set
>> of bytes were identical to the hash, then return
>> "true". So
> 
> The hash is known size, and occurs in known position.
> He does not search the padding for location, but
> examines it for correct format.
> 
>>
>> 01010101 ... 10101010101010000 hash crappetycrap
>>
>> would still be considered valid. There's a lot of code
>> out there that ignored the fact that after the FFs was
>> specific ASN.1 stuff, and just treated it as a defined
>> part of the padding.
> 
> And that code is correct, and does not have the problem
> that we discuss.  Paying attention to ASN.1 stuff is
> what is causing this problem.

No, it is incorrect and does have the problem we discuss. The fact that
it ignores the crap that's after the hash makes it vulnerable.

> Code is going wrong because ASN.1 can contain
> complicated malicious information to cause code to go
> wrong.  If we do not have that information, or simply
> ignore it, no problem.

This is incorrect. The simple form of the attack is exactly as described
above - implementations ignore extraneous data after the hash. This
extraneous data is _not_ part of the ASN.1 data.

The more complex form of the attack does actually use the ASN.1, in the
form of the parameters field. However, I'm not sure why you'd single out
ASN.1 as the cause of this problem: once the designers of the protocol
decided you needed parameters, the door was opened to the attack.
Implementations can incorrectly ignore the extraneous parameters no
matter how you encode them.

Not that I'm a fan of ASN.1, but if we're going to blame it for
problems, we should do so only when it is actually to blame.

The fault in this case is a combination of overly flexible protocol
design and implementation flaws.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list