[Cryptography] Is ASN.1 still the thing?

Phillip Hallam-Baker phill at hallambaker.com
Sun Nov 19 16:59:17 EST 2017


On Sat, Nov 18, 2017 at 2:57 PM, Bill Frantz <frantz at pwpconsult.com> wrote:
> On 11/17/17 at 1:02 PM, nico at cryptonector.com (Nico Williams) wrote:
>
>> For security protocols this should be a non-issue though: we don't use
>> real numbers.  But someone said they were advised to stay away from
>> ASN.1 because of this issue when designing SPKI -- that's just nonsense :/
>
>
> It may be nonsense, but Carl Ellison was severely burned by this issue on a
> project before we started developing the SPKI spec. That experience, along
> with the large number of security flaws in ASN.1 implementations, made him
> hate ASN.1. Since he was a principle author of SPKI, we followed his wish to
> avoid ASN.1 like the plague. That's the history.

ASN.1 DER is unsafe and ASN.1 BER can be unsafe.

The issue is simple: Some people are unable to write secure code. If
you use an encoding that makes it more likely such people will write
an incorrect implementation that leads to buffer overrun errors then
that is your fault.

Specifically, the issues that occur are of the form

LengthA:{LengthB:{Data}, LenghtC:{Data}}

It turns out that in many implementations of IPv6, ASN.1, JPEG, etc,
it is possible to cause a buffer overrun by creating such as structure
with LengthB > LengthA.

Checking to get this right is time consuming and difficult to get
right. A crap ASN.1 decoder can be done in a week, a really good one
with every possible corner case is enormous and might take a year. So
just don't use ASN.1 it is utterly awful.

Incidentally, anyone remember Linus Torvald's 'compiler masturbation'
rant? He was upset because someone had written bound checking
assertions into the IPv6 stack and because he didn't immediately
understand the reason it was there, he fired off a shitty rant because
he is a nasty bully and people are willing to think he is God. I
really don't like that kind of behavior.

More importantly, I don't trust Linux code as secure because I know he
engages in that kind of behavior.

https://www.theregister.co.uk/2015/11/01/linus_torvalds_fires_off_angry_compilermasturbation_rant/


More information about the cryptography mailing list