On Thu, Jul 09, 2026 at 12:13:06PM +0000, Peter Gutmann wrote:
> Orr Dunkelman <[email protected]> writes:
>
> >"In my opinion the issue is not implementation errors, they can be avoided
> >with the right discipline"
>
> Has there ever been a vulnerability with a crypto, ah, implementation that
> *wasn't* an implementation error?
>
Maybe it just was a rethorical quations, but here is a quick brain dump, sorry
if I missed anybody's favoite:
Broken deployed crypo: MD4, MD5, RC4, SHA1, TETRA, A5/1, A5/2, ... sadly, this
goes on
Too small choice of parameters: RSA-512 and other export-grade crypto
Bad design ideas: RSA prime generation by Infinon (ROCA)
Proocol: RSA PKCS 1.5 and other padding oracles
All of those are weak even with an implementation that's perfectly matching the
specs,
All the best
Tanja
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]