> From: Peter Gutmann [mailto:[EMAIL PROTECTED] 
> David Wagner <[EMAIL PROTECTED]> writes:
> >(a) Any implementation that doesn't check whether there is 
> extra junk 
> >left over after the hash digest isn't implementing the PKCS#1.5 
> >standard correctly. That's a bug in the implementation.
> No, it's a bug in the spec:
> >9.4 Encryption-block parsing
> >
> Nothing in there about trailing garbage.

Actually, this part is about _encryption_, we are talking here about signature 
padding. But the PKCS#1 spec talks about building up the complete padded 
signature input at the verifier, and then comparing it. However, there is a 
note saying that alternatively one could parse the padding without saying how 
this would be done. The reason to use such a thing is given as saving 
intermediate memory. Oh well!

So in fact what a lot of implementors do, parsing the padding, is not specified 
in sufficient detail to get it right. I would consider this buggy 
implementation resulting from buggy specification.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to