draft-harris-ssh-rsa-kex-01.txt

To: ietf-ssh%netbsd.org@localhost
Subject: draft-harris-ssh-rsa-kex-01.txt
From: der Mouse <mouse%Rodents.Montreal.QC.CA@localhost>
Date: Sat, 2 Apr 2005 20:16:10 -0500 (EST)

I've just been trying to implement draft-harris-ssh-rsa-kex-01.txt.
There is a subtle gotcha lurking in that spec that I would like to see
clarified.

One of the packets is described as

       byte      SSH_MSG_KEXRSA_SECRET
       string    RSAES-OAEP-ENCRYPT(K_T, K)

Now, the OAEP encryption is a raw RSA encryption of a number computed
in a complicated way that's not relevant here.  Thus, it is,
fundamentally, a big number, even though 3447 specifies that it's
converted to an octet string.

Now, RFC3447 *does* specify that conversion.  But the encoding of this
data blob as a string is deceptively close to the encoding of the big
number as an mpint (the major difference is exactly how and when
leading zero bits are included).  I'd like to see this similarly
explicitly acknowledged and clarified.  Maybe something like

   Note that the encoding of the encrypted secret is similar to the
   "mpint" encoding of the raw RSA encryption result, but differs in
   its handling of high-order 0 bits.  The packet contains the octet
   sequence as a "string", not the raw RSA output as an "mpint".

(Assuming of course that that's what is intended; if not, the wording
needs even mroe work.)

Thoughts?  Comments?

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse%rodents.montreal.qc.ca@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Follow-Ups:
- Re: draft-harris-ssh-rsa-kex-01.txt
  - From: Ben Harris
- Re: draft-harris-ssh-rsa-kex-01.txt
  - From: Peter Gutmann

Prev by Date: Re: filexfer-07
Next by Date: Re: Ben Harris's individual submissions: arcfour-fixes and rsa-kex
Previous by Thread: Publishing filexfer again in a couple of hours...
Next by Thread: Re: draft-harris-ssh-rsa-kex-01.txt
Indexes:

Home | Main Index | Thread Index | Old Index