>  > > > This is incorrect. The simple form of the attack
>  > > > is exactly as described above - implementations
>  > > > ignore extraneous data after the hash. This
>  > > > extraneous data is _not_ part of the ASN.1 data.
> 
> James A. Donald wrote:
>  > > But it is only extraneous because ASN.1 *says* it is
>  > > extraneous.

No. It's not the ASN.1 that says it's extraneous, it's the
PKCS#1 standard. The problem is that the PKCS#1 standard
didn't require that the implementation check for the
correct number of ff bytes that precede the BER-encoded
hash. The attack would still be possible if the hash
wasn't preceded by the BER-encoded header.

William

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to