[Cryptography] Is ASN.1 still the thing?
John-Mark Gurney
jmg at funkthat.com
Sat Nov 25 02:52:55 EST 2017
Peter Gutmann wrote this message on Fri, Nov 17, 2017 at 10:17 +0000:
> Santosh Chokhani <santosh.chokhani at gmail.com> writes:
>
> >Wow. That is magic. Do not decode a certificate but verify signature and
> >extract fields.
>
> How about "do a string search through the encoded cert data until you find the
> OID for the public key, then extract the key components from the bytes that
> follow and use those". That's what you get when the spec mandates the use of
> a full-blown PKI and the target hardware is a Cortex M0 or an MSP430.
I really hope that's not the case, because if it doesn't fully parse
all the leading data, you are now open to a packet-in-packet style attack.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the cryptography
mailing list