> From: Peter Gutmann [mailto:[EMAIL PROTECTED] 
> "Kuehn, Ulrich" <[EMAIL PROTECTED]> writes:
> >But the PKCS#1 spec talks about building up the complete padded 
> >signature input at the verifier, and then comparing it.
> Uhh, did you actually read the rest of my post?  *One variant 
> of the PKCS #1 spec, that didn't exist at the time the the 
> affected other standards were created*, talks about ..., not 
> "the PKCS #1 spec" as a whole.  I even quoted the original 
> text of the spec in my message.

It might have helped if you indicated that the citation was from the PKCS#1 
standard version 1.5 (?).

Interestingly, I find there (version 1.5) also

        10.2.3 Data decoding

        The data D shall be BER-decoded to give an ASN.1 value of
        type DigestInfo, which shall be separated into a message
        digest MD and a message-digest algorithm identifier. The
        message-digest algorithm identifier shall determine the
        "selected" message-digest algorithm for the next step.

        It is an error if the message-digest algorithm identifier
        does not identify the MD2, MD4 or MD5 message-digest

Here, any trailing garbage would be included in data D. But does an ASN.1 value 
allow such a thing? I am asking this independently of our discussion here.

Anyway, I think we agree on the point that the spec (even version 2.1) is in 
some point unprecise which should be considered a bug, as it can lead to 
implementation flaws. And yes, given what we know, e=3 is a good candidate for 
elimination :)


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to