DER is the Derived Encoding Rules, a subset of BER encoding. DER is used to encode ASN.1 data such that, for any particular data, there is a unique encoding for that data. BER, on the other hand, allows many possible encodings for a particular piece of data. DER is a strict subset, so ASN.1 data encoded as DER can be read by a BER decoder. Like BER, DER encodes any ASN.1 value into a series of octets (aka bytes).

How is DER useful? First, it's useful when you want to do something like create a digital signature for a piece of ASN.1 data. Since BER has many options in it's encoding, which an encoder can choose from as it pleases, the same data can have a different representation as it is decoded and re-encoded, meaning the digital signature could not be verified. This is a bad thing. All DER encoders will always encode the same value to the same byte string (unless they're buggy).

Secondly, it's much, much easier to decode DER than it is to decode BER. BER (and by extension DER) encodes each ASN.1 data item using a TLV system. However, BER allows you to do some pretty sick things, including splitting up a string into multiple sub-strings, and encoding each one separately. This might make some sense if you were (say), encoding a 1 megabyte text file as an ASN.1 value. But, in ASN.1, things like timestamps (time values are stored as strings in BER/DER) can also be split up in this way, even though it doesn't make any sense since they're only a few bytes long. But nonetheless, a BER decoder has to be able to handle it. This kind of crap is illegal in DER.

An additional problem with writing a BER decoder is due to the fact that virtually nobody actually uses BER encoding, so it's impossible to get any test input that uses any of the optional BER rules.

In fact, it's a bit easier to write an encoder for DER, as well. Specifically, by using DER, you are automatically constrained in what you can output, so you don't really have to make any choices about anything. Got an integer value? You encoded it like this, and no other way. It makes things much easier to test, as well.

Does it count as a nodeshell rescue if you made the nodeshell and then forgot about it?

Log in or register to write something here or to contact authors.