On Feb 17, 12:18 pm, Geoff Beier <[email protected]> wrote: > On Thu, Feb 17, 2011 at 12:10, Jeffrey Walton <[email protected]> wrote: > > > I'm not sure that it incorrect - maybe just non-standard??? Its > > probably easiest to call the RSA decrypt function on the cipher text > > (i.e., the hash) yourself.http://www.cryptopp.com/wiki/Raw_rsa > > Be *very* careful if you do this. It's an approach that invites > serious, security-relevant errors. It sounds easy when you describe > it, but I've seen extremely smart developers get this wrong in ways > that led to acceptance of forged signatures. Agreed. I don't recall seeing that advisory.
When the collisions were engineered using the extra data, what digest was in play? MD2 or MD5? I would be surprised if someone could do it with SHA-1, and bet against it with near certainty when using SHA-2 or Whirlpool. > MFSA 2006-60[1] is a good > public example of a prominent case. > > It also marries your code pretty tightly to RSA, which may or may not > be an issue for you. > > Geoff > > [1]http://www.mozilla.org/security/announce/2006/mfsa2006-60.html -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com.
