Create an Account
username: password:
 
  MemeStreams Logo

OpenSSL | RSA Signature Forgery (CVE-2006-4339)
search
Home Agent Weblogs Social Network Post Help About

Decius
Picture of Decius
Decius's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Decius's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
   Sci-Fi/Fantasy Films
  Music
   Electronic Music
Business
  Finance & Accounting
  Tech Industry
  Telecom Industry
  Management
  Markets & Investing
Games
Health and Wellness
Home and Garden
  Parenting
Miscellaneous
  Humor
  MemeStreams
Current Events
  War on Terrorism
Recreation
  Cars and Trucks
  Travel
Local Information
  United States
   SF Bay Area
    SF Bay Area News
Science
  Biology
  History
  Math
  Nano Tech
  Physics
Society
  Economics
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
Sports
Technology
  Computer Security
  Macintosh
  Spam
  High Tech Developments

support us

Get MemeStreams Stuff!


 
OpenSSL | RSA Signature Forgery (CVE-2006-4339)
Topic: Computer Security 5:51 pm EDT, Sep  8, 2006

Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5
signatures. If an RSA key with exponent 3 is used it may be possible
to forge a PKCS #1 v1.5 signature signed by that key. Implementations
may incorrectly verify the certificate if they are not checking for
excess data in the RSA exponentiation result of the signature.

I can hear Nelson saying "HA-HA." The details are here but let me see if I can offer a simpler explanation.

In RSA, your public key is made up of an exponent and a modulus. In some RSA implementations, your public exponent is simply set to 3. Seems like a simple number, but you're going to tell everyone what it is anyway, and choosing a small number makes your calculations faster. (I'll use N for the modulus.)

As a reminder, public key crypto lets you encrypt something, or sign something. When you encrypt, you encrypt with the recipient's public key, and only their private key can decrypt. When you sign, you encrypt with your private key, and anyone with your public key can decrypt...

So, lets say your public exponent is 3. When someone wants to check your signature, they decrypt it with your public key. Literally, they perform this operation:

X = signature^3 modulo N

Now, RSA signatures are usually shorter then N before they are encrypted, so they get padded out to N first. It turns out that in some poor implementations of RSA its trivially easy to screw around with that padding so that a fake signature becomes a perfect cube, and the implementation won't examine what was inside the signature carefully enough to notice that you've done this. When your unencrypted signature is a perfect cube, it is easy to calculate it's cube root. This cube root will be accepted by RSA as a valid encrypted signature.

OpenSSL | RSA Signature Forgery (CVE-2006-4339)

Thread [2] - Reply


  
 
Powered By Industrial Memetics		RSS2.0