Exponent 3 damage spreads...
James A. Donald
jamesd at echeque.com
Fri Sep 15 21:16:15 EDT 2006
--
Peter Gutmann wrote:
> Right, but it's been pure luck that that particular
> implementation (and most likely a number of others)
> happen to have implemented only a small number of hash
> algorithms that allow only absent or NULL parameters.
> Anything out there that implements a wider range of
> algorithms, including any that allow parameters, is
> most likely toast.
Parameters should not be expressed in the relevant part
of the signature. The only data that should be
encrypted with the RSA private key and decrypted with
the public key is the hash result itself, and the
padding. If the standard specifies that additional
material should be encrypted, the standard is in error
and no one should follow it.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
sVNWfKHHWrogEro6rkjKzE2XEHGqyk1tXLiayWU7
4joW/r8h3DIfdlwaI5up/06PSaWuhEtwMmF9TsuGR
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list