RE: Why the exponent 3 error happened:

2006-11-10 Thread Kuehn, Ulrich
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sonntag, 17. September 2006 06:01 For another example of just how badly this kind of thing can be done, look at this code excerpt from Firefox version 1.5.0.7, which is the fixed version. There are two PKCS-1 parsing

Re: Why the exponent 3 error happened:

2006-10-06 Thread James A. Donald
-- Travis H. wrote: Actually, encoding lengths of other fields in a protocol is probably the easiest way to introduce a remotely-exploitable vulnerability (typically buffer overflow). I'm going to have to side with the no redundancy means no inconsistencies possible argument here. Oh,

Re: Why the exponent 3 error happened:

2006-09-21 Thread Anton Stiglic
As other's have mentioned, I don't believe the small RSA exponent (e = 3) is to blame in Bleichenbacher's attack. Indeed, the mathematical problem of computing the cubic root of m modulo an rsa modulus n, for a *fixed*, arbitrary m, is still considered to be hard (no one has shown the opposite).

RE: [cryptography] Re: Why the exponent 3 error happened:

2006-09-20 Thread Kuehn, Ulrich
From: Ralf-Philipp Weinmann [mailto:[EMAIL PROTECTED] [...] Unfortunately we only found out that there has been prior art by Yutaka Oiwa et al. *AFTER* we successfully forged a certificate using this method (we being Andrei Pyshkin, Erik Tews and myself). The certificate we forged

Re: [cryptography] Re: Why the exponent 3 error happened:

2006-09-20 Thread Ralf-Philipp Weinmann
On Sep 20, 2006, at 3:10 PM, Kuehn, Ulrich wrote: -BEGIN CERTIFICATE- MIICgzCCAWugAwIBAgIBFzANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDYw

Re: [cryptography] Re: Why the exponent 3 error happened:

2006-09-19 Thread Ralf-Philipp Weinmann
On Sep 16, 2006, at 11:31 PM, Eric Young wrote: This is a question I would not mind having answered; while the exponent 3 attack works when there are low bits to 'modify', there has been talk of an attack where the ASN.1 is correctly right justified (hash is the least significant bytes),

Re: Why the exponent 3 error happened:

2006-09-19 Thread James A. Donald
-- imon Josefsson wrote: Again, there is no problem in ASN.1 or PKCS#1 that is being exploited here, only an implementation flaw, even if it is an interesting one. But why did several people independently implement the same or similar flaws? The answer is in Jack Lloyd's post: I wrote a

Re: Why the exponent 3 error happened:

2006-09-18 Thread Simon Josefsson
Whyte, William [EMAIL PROTECTED] writes: This is incorrect. The simple form of the attack is exactly as described above - implementations ignore extraneous data after the hash. This extraneous data is _not_ part of the ASN.1 data. James A. Donald wrote: But it is only

RE: Why the exponent 3 error happened:

2006-09-18 Thread Kuehn, Ulrich
I noticed the exact same code being present in the mozilla 1.7.13 source ... I wonder what the correct consequence would be? Have us crypto people proof-read all relevant source code? Better educate developers? Interestingly the attacker's playground between the 0, 1, 0 and the hash gets

Re: [cryptography] Re: Why the exponent 3 error happened:

2006-09-17 Thread Eric Young
James A. Donald wrote: -- James A. Donald wrote: Code is going wrong because ASN.1 can contain complicated malicious information to cause code to go wrong. If we do not have that information, or simply ignore it, no problem. Ben Laurie wrote: This is incorrect. The simple form of the

RE: Why the exponent 3 error happened:

2006-09-17 Thread Whyte, William
This is incorrect. The simple form of the attack is exactly as described above - implementations ignore extraneous data after the hash. This extraneous data is _not_ part of the ASN.1 data. James A. Donald wrote: But it is only extraneous because ASN.1 *says* it is

Re: Why the exponent 3 error happened:

2006-09-17 Thread Hal Finney
For another example of just how badly this kind of thing can be done, look at this code excerpt from Firefox version 1.5.0.7, which is the fixed version. There are two PKCS-1 parsing functions, one which returns the hash and its prefix, the other of which is given the hash and asked whether it

Re: Why the exponent 3 error happened:

2006-09-16 Thread James A. Donald
-- James A. Donald wrote: Code is going wrong because ASN.1 can contain complicated malicious information to cause code to go wrong. If we do not have that information, or simply ignore it, no problem. Ben Laurie wrote: This is incorrect. The simple form of the attack is exactly as

Re: Why the exponent 3 error happened:

2006-09-16 Thread Ben Laurie
James A. Donald wrote: -- James A. Donald wrote: Code is going wrong because ASN.1 can contain complicated malicious information to cause code to go wrong. If we do not have that information, or simply ignore it, no problem. Ben Laurie wrote: This is incorrect. The simple form of

Re: Why the exponent 3 error happened:

2006-09-16 Thread James A. Donald
-- James A. Donald wrote: Code is going wrong because ASN.1 can contain complicated malicious information to cause code to go wrong. If we do not have that information, or simply ignore it, no problem. Ben Laurie wrote: This is incorrect. The simple form of the attack

Re: Why the exponent 3 error happened:

2006-09-15 Thread Peter Gutmann
Victor Duchovni [EMAIL PROTECTED] writes: This, in my view, has little to do with ASN.1, XML, or other encoding frameworks. Thorough input validation is not yet routinely and consistently practiced by most software developers. Software is almost invariably written to parse formats observed in

Re: Why the exponent 3 error happened:

2006-09-15 Thread Steven M. Bellovin
On Thu, 14 Sep 2006 17:21:28 -0400, Victor Duchovni [EMAIL PROTECTED] wrote: If so, I fear we are learning the wrong lesson, which while valid in other contexts is not pertinent here. TLS must be flexible enough to accommodate new algorithms, this means that the data structures being

Re: Why the exponent 3 error happened:

2006-09-15 Thread Richard Salz
From http://www.w3.org/2001/tag/doc/leastPower.html : When designing computer systems, one is often faced with a choice between using a more or less powerful language for publishing information, for expressing constraints, or for solving some problem. This finding explores tradeoffs relating

Re: Why the exponent 3 error happened:

2006-09-15 Thread James A. Donald
-- Victor Duchovni wrote: If so, I fear we are learning the wrong lesson, which while valid in other contexts is not pertinent here. TLS must be flexible enough to accommodate new algorithms, this means that the data structures being exchanged are malleable, and that implementations must

Re: Why the exponent 3 error happened:

2006-09-15 Thread Peter Gutmann
Steven M. Bellovin [EMAIL PROTECTED] writes: As for the not compatible with a well-socialized human -- well, maybe -- I don't think normal people describe themselves as paranoid by profession Might I refer the reader to http://www.cs.auckland.ac.nz/~pgut001/. I've even received mail from

Re: Why the exponent 3 error happened:

2006-09-15 Thread Hal Finney
James Donald writes: There is no need, ever, for the RSA signature to encrypt anything other than a hash, nor will their ever be such a need. In this case the use of ASN.1 serves absolutely no purpose whatsoever, other than to create complexity, bugs, and opportunities for attack. It is

Re: Why the exponent 3 error happened:

2006-09-15 Thread Ben Laurie
James A. Donald wrote: -- Greg Rose wrote: At 19:02 +1000 2006/09/14, James A. Donald wrote: Suppose the padding was simply 010101010101010 ... 1010101010101 hash with all leading zeros in the hash omitted, and four zero bits showing where the actual hash begins. Then the error

RE: Why the exponent 3 error happened:

2006-09-15 Thread Whyte, William
If so, I fear we are learning the wrong lesson, which while valid in other contexts is not pertinent here. TLS must be flexible enough to accommodate new algorithms, this means that the data structures being exchanged are malleable, and that implementations must validate strict

Re: Why the exponent 3 error happened:

2006-09-14 Thread Greg Rose
At 19:02 +1000 2006/09/14, James A. Donald wrote: Suppose the padding was simply 010101010101010 ... 1010101010101 hash with all leading zeros in the hash omitted, and four zero bits showing where the actual hash begins. Then the error would never have been possible. I beg to differ. A

Re: Why the exponent 3 error happened:

2006-09-14 Thread Victor Duchovni
On Thu, Sep 14, 2006 at 11:25:11AM -0400, [EMAIL PROTECTED] wrote: James A. Donald writes: -+--- | snip | | ASN.1 provided additional redundant information, making | possible unexpected data layouts that should not | normally happen. It had too much expressive

Re: Why the exponent 3 error happened:

2006-09-14 Thread James A. Donald
-- Greg Rose wrote: At 19:02 +1000 2006/09/14, James A. Donald wrote: Suppose the padding was simply 010101010101010 ... 1010101010101 hash with all leading zeros in the hash omitted, and four zero bits showing where the actual hash begins. Then the error would never have been