> > > > This is incorrect. The simple form of the attack > > > > is exactly as described above - implementations > > > > ignore extraneous data after the hash. This > > > > extraneous data is _not_ part of the ASN.1 data. > > James A. Donald wrote: > > > But it is only extraneous because ASN.1 *says* it is > > > extraneous.
No. It's not the ASN.1 that says it's extraneous, it's the PKCS#1 standard. The problem is that the PKCS#1 standard didn't require that the implementation check for the correct number of ff bytes that precede the BER-encoded hash. The attack would still be possible if the hash wasn't preceded by the BER-encoded header. William --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
