Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5 signatures. If an RSA key with exponent 3 is used it may be possible to forge a PKCS #1 v1.5 signature signed by that key. Implementations may incorrectly verify the certificate if they are not checking for excess data in the RSA exponentiation result of the signature.
I can hear Nelson saying "HA-HA." The details are here but let me see if I can offer a simpler explanation. In RSA, your public key is made up of an exponent and a modulus. In some RSA implementations, your public exponent is simply set to 3. Seems like a simple number, but you're going to tell everyone what it is anyway, and choosing a small number makes your calculations faster. (I'll use N for the modulus.) As a reminder, public key crypto lets you encrypt something, or sign something. When you encrypt, you encrypt with the recipient's public key, and only their private key can decrypt. When you sign, you encrypt with your private key, and anyone with your public key can decrypt... So, lets say your public exponent is 3. When someone wants to check your signature, they decrypt it with your public key. Literally, they perform this operation: X = signature^3 modulo N Now, RSA signatures are usually shorter then N before they are encrypted, so they get padded out to N first. It turns out that in some poor implementations of RSA its trivially easy to screw around with that padding so that a fake signature becomes a perfect cube, and the implementation won't examine what was inside the signature carefully enough to notice that you've done this. When your unencrypted signature is a perfect cube, it is easy to calculate it's cube root. This cube root will be accepted by RSA as a valid encrypted signature. |