Peter, > From: Peter Gutmann [mailto:[EMAIL PROTECTED] > > David Wagner <[EMAIL PROTECTED]> writes: > > >(a) Any implementation that doesn't check whether there is > extra junk > >left over after the hash digest isn't implementing the PKCS#1.5 > >standard correctly. That's a bug in the implementation. > > No, it's a bug in the spec: > > >9.4 Encryption-block parsing > > [...] > > Nothing in there about trailing garbage. >
Actually, this part is about _encryption_, we are talking here about signature padding. But the PKCS#1 spec talks about building up the complete padded signature input at the verifier, and then comparing it. However, there is a note saying that alternatively one could parse the padding without saying how this would be done. The reason to use such a thing is given as saving intermediate memory. Oh well! So in fact what a lot of implementors do, parsing the padding, is not specified in sufficient detail to get it right. I would consider this buggy implementation resulting from buggy specification. Regards, Ulrich --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]