No I don't think you are missing anything, I still haven't had time to check the code. The real question is after determining the hash if there is data left over it should error out. Thanks for looking at it I'll take a look too.
Ron
-----Original Message----- From: Cerebus Sent: Friday, November 24, 2006 3:10 PM On 11/24/06, Ron Teitelbaum Ron@usmedrec.com wrote:
We still need to review our validation of e=3 signatures. Did you have
a
look at that? Is there any way that reading ASN.1 would stop and leave
more
data past the hash without throwing an error?
I think I'm missing something here. PKCS#1 signatures require digesting, encoding, encrypting, and then conversion to bit-string. The encoding step takes the hash and wraps it in the following ASN.1:
DigestInfo ::= SEQUENCE { digestAlgorithm DigestAlgorithmIdentifier, digest Digest }
DigestAlgorithmIdentifier ::= AlgorithmIdentifier
Digest ::= OCTET STRING
I'm looking at RSAKey>>v15SignMessageHash: and RSAKey>>v15VerifySignature:ofMessageHash and the encoding step is being skipped.
Or am I misusing RSAKey? Or do I have an old version? (I'm still figuring out this whole Squeak packaging mess.)
In re: the question, it looks to me like validation is not currently vulnerable to the attack because RSAKey>>v15VerifySignature:ofMessageHash: isn't doing any ASN.1 decoding to attack! :)
-- Tim _______________________________________________ Cryptography mailing list Cryptography@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography