Exponent 3 damage spreads...
Kuehn, Ulrich
Ulrich.Kuehn at telekom.de
Thu Sep 21 05:55:01 EDT 2006
Peter,
> From: Peter Gutmann [mailto:pgut001 at cs.auckland.ac.nz]
>
> "Kuehn, Ulrich" <Ulrich.Kuehn at telekom.de> writes:
>
> >But the PKCS#1 spec talks about building up the complete padded
> >signature input at the verifier, and then comparing it.
>
> Uhh, did you actually read the rest of my post? *One variant
> of the PKCS #1 spec, that didn't exist at the time the the
> affected other standards were created*, talks about ..., not
> "the PKCS #1 spec" as a whole. I even quoted the original
> text of the spec in my message.
>
It might have helped if you indicated that the citation was from the PKCS#1 standard version 1.5 (?).
Interestingly, I find there (version 1.5) also
10.2.3 Data decoding
The data D shall be BER-decoded to give an ASN.1 value of
type DigestInfo, which shall be separated into a message
digest MD and a message-digest algorithm identifier. The
message-digest algorithm identifier shall determine the
"selected" message-digest algorithm for the next step.
It is an error if the message-digest algorithm identifier
does not identify the MD2, MD4 or MD5 message-digest
algorithm.
Here, any trailing garbage would be included in data D. But does an ASN.1 value allow such a thing? I am asking this independently of our discussion here.
Anyway, I think we agree on the point that the spec (even version 2.1) is in some point unprecise which should be considered a bug, as it can lead to implementation flaws. And yes, given what we know, e=3 is a good candidate for elimination :)
Ulrich
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list