Thank you I posted and released your change.
We still need to review our validation of e=3 signatures. Did you have a look at that? Is there any way that reading ASN.1 would stop and leave more data past the hash without throwing an error?
Ron
-----Original Message----- From: cryptography-bounces@lists.squeakfoundation.org [mailto:cryptography-bounces@lists.squeakfoundation.org] On Behalf Of cerebus2@gmail.com Sent: None To: cryptography@lists.squeakfoundation.org Subject: [Cryptography Team] [FIX] Crypto changes
from preamble:
"Change Set: Crypto changes Date: 23 November 2006 Author: Timothy J. Miller
Changed e to 65537."!
On 11/24/06, Ron Teitelbaum Ron@usmedrec.com wrote:
We still need to review our validation of e=3 signatures. Did you have a look at that? Is there any way that reading ASN.1 would stop and leave more data past the hash without throwing an error?
I think I'm missing something here. PKCS#1 signatures require digesting, encoding, encrypting, and then conversion to bit-string. The encoding step takes the hash and wraps it in the following ASN.1:
DigestInfo ::= SEQUENCE { digestAlgorithm DigestAlgorithmIdentifier, digest Digest }
DigestAlgorithmIdentifier ::= AlgorithmIdentifier
Digest ::= OCTET STRING
I'm looking at RSAKey>>v15SignMessageHash: and RSAKey>>v15VerifySignature:ofMessageHash and the encoding step is being skipped.
Or am I misusing RSAKey? Or do I have an old version? (I'm still figuring out this whole Squeak packaging mess.)
In re: the question, it looks to me like validation is not currently vulnerable to the attack because RSAKey>>v15VerifySignature:ofMessageHash: isn't doing any ASN.1 decoding to attack! :)
-- Tim
No I don't think you are missing anything, I still haven't had time to check the code. The real question is after determining the hash if there is data left over it should error out. Thanks for looking at it I'll take a look too.
Ron
-----Original Message----- From: Cerebus Sent: Friday, November 24, 2006 3:10 PM On 11/24/06, Ron Teitelbaum Ron@usmedrec.com wrote:
We still need to review our validation of e=3 signatures. Did you have
a
look at that? Is there any way that reading ASN.1 would stop and leave
more
data past the hash without throwing an error?
I think I'm missing something here. PKCS#1 signatures require digesting, encoding, encrypting, and then conversion to bit-string. The encoding step takes the hash and wraps it in the following ASN.1:
DigestInfo ::= SEQUENCE { digestAlgorithm DigestAlgorithmIdentifier, digest Digest }
DigestAlgorithmIdentifier ::= AlgorithmIdentifier
Digest ::= OCTET STRING
I'm looking at RSAKey>>v15SignMessageHash: and RSAKey>>v15VerifySignature:ofMessageHash and the encoding step is being skipped.
Or am I misusing RSAKey? Or do I have an old version? (I'm still figuring out this whole Squeak packaging mess.)
In re: the question, it looks to me like validation is not currently vulnerable to the attack because RSAKey>>v15VerifySignature:ofMessageHash: isn't doing any ASN.1 decoding to attack! :)
-- Tim _______________________________________________ Cryptography mailing list Cryptography@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
On 11/24/06, Ron Teitelbaum Ron@usmedrec.com wrote:
No I don't think you are missing anything, I still haven't had time to check the code. The real question is after determining the hash if there is data left over it should error out. Thanks for looking at it I'll take a look too.
If I'm not missing anything, then doesn't this mean that the implementation is incorrect?
-- Tim
HEHEEH! Reminds me of the old joke: "Just because you are paranoid doesn't mean somebody isn't following you!"
I'm not sure. I still need to look. It's very easy to throw your own ASN.1 code. A few bits here and few bits there and its all wrapped up nicely. Instead of guessing let me have a look and see. I'll try to get to it next week.
I have a big meeting coming up and I'm really short on time. Sorry,
Ron Teitelbaum
-----Original Message----- From: cryptography-bounces@lists.squeakfoundation.org [mailto:cryptography-bounces@lists.squeakfoundation.org] On Behalf Of Cerebus Sent: Friday, November 24, 2006 5:40 PM To: Ron@usmedrec.com; Cryptography Team Development List Subject: Re: RE: RE: [Cryptography Team] [FIX] Crypto changes
On 11/24/06, Ron Teitelbaum Ron@usmedrec.com wrote:
No I don't think you are missing anything, I still haven't had time to
check
the code. The real question is after determining the hash if there is
data
left over it should error out. Thanks for looking at it I'll take a
look
too.
If I'm not missing anything, then doesn't this mean that the implementation is incorrect?
-- Tim _______________________________________________ Cryptography mailing list Cryptography@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
cryptography@lists.squeakfoundation.org
-
Cerebus -
Ron Teitelbaum