[Cryptography] How to De-Bollocks Cryptography?
Chris Frey
cdfrey at foursquare.net
Fri Aug 30 03:24:08 EDT 2024
On Mon, Aug 12, 2024 at 11:52:53PM -0400, Phillip Hallam-Baker wrote:
> The complexity in SAML came from using XML as a base and we did that
> because, well ASN.1. ASN.1 was a very good idea that got ruined because of
> one half baked proposal, DER encoding which is utterly unnecessary and a
> bad way to achieve the intended outcome. Canonicalization is just as bad in
> XML.
I found this comment perplexing, considering this article from
Phrack magazine, issue #70:
http://phrack.org/issues/70/12.html#article
Quoting part of the conclusion:
Last, but not least, there are some lessons to be learned.
First....
[...]
Second, BER is a hairy beast. BER parsers tend to become extremely
complex and complexity is the enemy of security. If you must
handle ASN.1, use DER whenever possible. There are examples of
alloc-less DER parsers which do a pretty good job and seem very
secure when used properly, such as libDER.
- Chris
More information about the cryptography
mailing list