[cryptography] preventing protocol failings

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Jul 5 08:59:49 EDT 2011


Nico Williams <nico at cryptonector.com> writes:

>Why even have a tag??  The ASN.1 Packed Encoding Rules (think ONC XDR with 1-
>byte alignment instead of 4-byte alignment) doesn't use tags at all.

Which makes them impossible to statically check, and leads to hellishly
complex decoders.

>In BER/DER/CER/XML you get a lot of redundancy: tag-length-value, sometimes
>tag-length-tag-length-value (e.g., when explicit tagging is used). 

This is a feature, not a flaw, because it means you can statically type-check
it.  With BER/DER I can implement a filter that takes as input any encoded
blob and reports true or false for the question "is this well-formed data".
With CER (and XML, and PGP, and SSH, and SSL/TLS, and IPsec) I can't.

>If you want to prevent new bugs in these areas, let's start with putting the
>venerable BER/DER/CER to rest in the trash bin.  Legacy will make that a
>difficult proposition.

BER and DER are actually the safest encodings of the major security protocols
I work with.  I'd rank them, in terms of danger, as:

SSH

[Long gap]

PGP, SSL/TLS

[Smaller gap]

BER/DER

Peter.



More information about the cryptography mailing list