Hanno Böck wrote: > m...@sap.com (Martin Rex) wrote: >> >> The *huge* advantage of PKCS#1 v1.5 signatures over RSA-PSS and ECDSA >> signatures is that one can clearly distinguish "wrong public key" >> from "signature does not fit plaintext" errors, and loosing this >> capability makes certain kinds of programming goofs (plus a few >> admin configuration goofs) much harder to distinguish from >> data corruption during transfer. > > Actually I see this as a disadvantage. Separating different error > states has been the source of a whole number of vulnerabilities. The > original Bleichenbacher attack (and all its variants including drown) > is based on separating different errors, the Vaudenay attack is.
I'm sorry, but this is clueless. Signature verification is a PUBLIC KEY operation. You're not creating an oracle with a public key operation. The examples you cite are about secret key and private key operations which create oracles. That isn't even in the same universe. -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
