I tried coming up with my own forged signature that could be validated with
OpenSSL (which I intended to use to test other libraries). I haven't
succeeded, either because in the particular example I came up with OpenSSL
does something that catches the invalid signature, or I messed up somewhere
(
> From: Ralf-Philipp Weinmann
> [mailto:[EMAIL PROTECTED]
[...]
> Unfortunately we only found out that there has been prior art
> by Yutaka Oiwa et al. *AFTER* we successfully forged a
> certificate using this method (we being Andrei Pyshkin, Erik
> Tews and myself).
>
> The certificate we
On Sep 20, 2006, at 3:10 PM, Kuehn, Ulrich wrote:
-BEGIN CERTIFICATE-
MIICgzCCAWugAwIBAgIBFzANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDYw
ODE5MTY1MTMwWhcNMDYxMD
http://www.newsday.com/news/printedition/stories/ny-wocode184896831sep18,0,7091966,print.story
That isn't supposed to be possible these days... (I regard it as more
likely that they were doing traffic analysis and direction-finding than
actually cracking the ciphers.)
--Steven M.
David Wagner <[EMAIL PROTECTED]> writes:
>(a) Any implementation that doesn't check whether there is extra junk left
>over after the hash digest isn't implementing the PKCS#1.5 standard
>correctly. That's a bug in the implementation.
No, it's a bug in the spec:
>9.4 Encryption-block parsing
>
>I
From: Ian Brown <[EMAIL PROTECTED]>
Subject: On-card displays
To: [EMAIL PROTECTED]
Date: Wed, 20 Sep 2006 07:29:13 +0100
Via Bruce Schneier's blog, flexible displays that can sit on smartcards.
So we finally have an output mechanism that means you don't have to
trust smartcard terminal displays: