Yep. One aspect was already mentioned "NUL" characters. The obvious counter
measurement was also mentionen "base64". But this reduces the possible input
variation. It might be possible to mount an attack on it.
If you can, the hash function is broken. Assuming of course that you're taking
then entire expanded string. Any textification of a string is just a sloppy
coding, and if the hash function has odd properties, then it's very, very
broken.
The general rule is: If you fear, that the default algorithm is not safe,
change it! You can't incease security by chaining algorithms.
Yes! I couldn't agree more.
Jon
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp