[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AlgorithmIdentifier, SHA-1, etc.
At Sat, 07 Apr 2007 12:39:07 +0100,
Dr Stephen Henson wrote:
>
>
> Russ Housley wrote:
> >
> > Note that the DigestInfoValue is part of the structure that is
> > "encrypted" with the RSA private key when generating a signature. It is
> > recovered by "decrypting" the signature value with the RSA public key.
> >
>
> Note that care should be taken when handling the DigestInfo structure
> recovered from an RSA signature.
>
> As well as the original Bleichenbacher signature forgery attack (caused
> by ignoring trailing garbage after DigestInfo) there is a variant which
> inserts garbage in the middle of the recovered structure. Allowing
> arbitrary parameter values in the DigestAlgorithmIdentifier (for example
> large OCTET STRINGs) is one way to do this. Unlike the original attack
> this variant produces a "valid" DigestInfo structure.
>
> As a result in the specific case of the recovered DigestInfo from an RSA
> signature OpenSSL now only tolerates a NULL or absent parameter field.
> This is OK for all existing digests.
>
> It is more liberal about DigestInfo structures in other contexts.
Steven,
As I recall OpenSSL puts the NULL in the digestAlgorithm encoding
as well. Am I right about that?
Thanks,
-Ekr