| ▲ | Muromec 10 hours ago |
| So another lesson had been relearned from asn.1. I'm proud of working in this industry again! Next we will figure out to always put versions into the data too |
|
| ▲ | maxtaco 10 hours ago | parent | next [-] |
| I would say two problems with the asn.1 approach are: (1) it seems like too much cognitive overload for the OIDs to have semantic meaning, and it invites accidental reuse; I think it matters way more that the OIDs are unique, which randomness gets you without much effort; and (2) the OIDs aren't always serialized first, they are allowed to be inside the message, and there are failures that have resulted (https://nvd.nist.gov/vuln/detail/cve-2022-24771, https://nvd.nist.gov/vuln/detail/CVE-2025-12816) (edit on where the OIDs can be, and added another CVE) |
| |
| ▲ | themafia 8 hours ago | parent [-] | | Those CVEs seem a little more subtle than OID serialization issues. In the first example there are actually two distinct problems in concert that lead to the vulnerability, one of which is when a "low public exponent" is used. https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1... | | |
| ▲ | tptacek 5 hours ago | parent | next [-] | | This is Bleichenbacher's rump-session e=3 RSA attack. It's pretty straightforward, and is in Cryptopals if anyone wants to try it. If you don't check all the RSA padding, and you use e=3, you can just take an integer cube root. | |
| ▲ | maxtaco 7 hours ago | parent | prev [-] | | It seems like in that PR, the fact that the OID wasn't checked is part of the problem. I think a better system wouldn't compile or would always fail to verify if the OID (domain separator) is wrong, and I think you'd get that behavior in the posted system. |
|
|
|
| ▲ | jbmsf 10 hours ago | parent | prev [-] |
| That was my first thought as well. |
