Why the exponent 3 error happened:
Whyte, William
WWhyte at ntru.com
Sat Sep 16 18:43:10 EDT 2006
> > > > This is incorrect. The simple form of the attack
> > > > is exactly as described above - implementations
> > > > ignore extraneous data after the hash. This
> > > > extraneous data is _not_ part of the ASN.1 data.
>
> James A. Donald wrote:
> > > But it is only extraneous because ASN.1 *says* it is
> > > extraneous.
No. It's not the ASN.1 that says it's extraneous, it's the
PKCS#1 standard. The problem is that the PKCS#1 standard
didn't require that the implementation check for the
correct number of ff bytes that precede the BER-encoded
hash. The attack would still be possible if the hash
wasn't preceded by the BER-encoded header.
William
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list