Exponent 3 damage spreads...

Kuehn, Ulrich Ulrich.Kuehn at telekom.de
Thu Sep 21 03:55:08 EDT 2006


Peter,

> From: Peter Gutmann [mailto:pgut001 at cs.auckland.ac.nz] 
> 
> David Wagner <daw at cs.berkeley.edu> writes:
> 
> >(a) Any implementation that doesn't check whether there is 
> extra junk 
> >left over after the hash digest isn't implementing the PKCS#1.5 
> >standard correctly. That's a bug in the implementation.
> 
> No, it's a bug in the spec:
> 
> >9.4 Encryption-block parsing
> >
[...]
> 
> Nothing in there about trailing garbage.
> 

Actually, this part is about _encryption_, we are talking here about signature padding. But the PKCS#1 spec talks about building up the complete padded signature input at the verifier, and then comparing it. However, there is a note saying that alternatively one could parse the padding without saying how this would be done. The reason to use such a thing is given as saving intermediate memory. Oh well!

So in fact what a lot of implementors do, parsing the padding, is not specified in sufficient detail to get it right. I would consider this buggy implementation resulting from buggy specification.

Regards,
Ulrich

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list