Hi there
I am developing the secured key storage for one of my mobile device running
JB422, found out that the default keystore signing and verifying API always
force the device using the following options
params.digest_type = DIGEST_NONE;
params.padding_type = PADDING_NONE;
That says we have to sign the data with a RSA private key without padding,
and during verification, we have to use the raw mode to verify data
That sounds to be a known security issue of not using PADDING in signature
processes
Several places all talk about the potential vulnerabilities
http://en.wikipedia.org/wiki/RSA_(algorithm)
http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/
Wonder if any security experts can comment if I am wrong or right?
Appreciate with your help!
Thanks
Rex
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/groups/opt_out.
