hal(_at_)finney(_dot_)org writes:
Florian Weimer, <Florian(_dot_)Weimer(_at_)RUS(_dot_)Uni-Stuttgart(_dot_)DE>,
writes:
From the current draft:
| 3.2. Multi-Precision Integers
| The length field of an MPI describes the length starting from its
| most significant non-zero bit. Thus, the MPI [00 02 01] is not
| formed correctly. It should be [00 01 01].
I think it's worthwhile to point out that MPIs with an arbitrary
number of leading zeroes might legitimately occur inside V3 secret key
packets. Perhaps it's even necessary to amend section 5.5.3 to
clarify this issue (i.e. that leading zeroes MUST NOT be stripped in
this case).
Why is this? Are you worried about leaking information about the size
of p, q, etc.?
No, the cause is completely different. The unencrypted actual MPI
determines the bit length and should not include any leading zeroes,
but encryption might introduce them (and it's probably not wise to
adjust the bit length accordingly).
--
Florian Weimer
Florian(_dot_)Weimer(_at_)RUS(_dot_)Uni-Stuttgart(_dot_)DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898