Matasano Chargen - Latest Comments in Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

Re: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

swapniel — Tue, 23 Oct 2007 12:43:34 -0000

Suppose Fred sees your RSA signature on m1 and m2 (i.e. he sees m1d mod m and m2d mod n). How does he compute the signature on each of m1j mod n
(Positive integer j), m1-1 mod n, m1.m2 mod n, and in general m1j.m2k mod n (for arbitrary integers j and k)?
need the solution to this question plzzz

Re: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

Thomas Ptacek — Thu, 19 Apr 2007 00:15:39 -0000

http://www.matasano.com/log/531/rsa-signature-f...

Re: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

Hiba — Wed, 18 Apr 2007 14:52:58 -0000

Elobrate more in follwing please:

Suppose Fred sees your RSA signaure on m1 and m2, (i.e., he sees (m1d mod n) and (m2d mod n)).
How does he compute the signature on each of m1j mod n (for positive integer j), m1-1 mod n, m1 x m2 mod n, and
in general m1j m2k mod n (for arbitrary j and k)?

Re: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

jan — Wed, 15 Nov 2006 09:59:48 -0000

Hi Guys, please email this solution to me quickly. thanks...that is today please, esperate
Suppose Fred sees your RSA signaure on m1 and m2, (i.e., he sees (m1d mod n) and (m2d mod n)).
How does he compute the signature on each of m1j mod n (for positive integer j), m1-1 mod n, m1 x m2 mod n, and
in general m1j m2k mod n (for arbitrary j and k)?

Re: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

Thomas Ptacek — Sat, 16 Sep 2006 11:33:28 -0000

Also: grep -c? Gross.

Re: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

Thomas Ptacek — Sat, 16 Sep 2006 11:32:38 -0000

Yeah, yeah, yeah.

Re: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

sour grep:s — Sat, 16 Sep 2006 04:05:22 -0000

cat curl-ca-bundle.crt | grep Exponent | grep ": 3" | wc -l

!?!!??

grep -c "Exponent: 3" curl-ca-bundle.crt

Re: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

marius — Tue, 12 Sep 2006 20:47:21 -0000

Google employs security enabled engineers in various teams. They like mucking around with this stuff.

There's more subtle flavors too:
padding|asn1((HASHALGO_ID,random[xx]),hash), so the noise to make for a nice cube is hidden inside an ignored, large parameter. Rinse, repeat. Many variants, different implementations fail different ways.
If you care about others' code verifying your signatures less error prone, don't use 3. And don't delegate powers to keys that use 3 either ;-)

Re: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

Nicko — Mon, 11 Sep 2006 06:55:32 -0000

... Safari also depends on OpenSSL

Actually Safari uses Apple's "Security Framework", which is based on the OpenGroup CDSA codebase. Apple's code does not have the above bug; it makes use of the fact that PKCS#1 signatures are deterministic, constructs the correct value for the cleartext of the signature and check that this is exactly the same as the decryption of the signature.

Re: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

anonymous former SunSoft/IR P — Sat, 09 Sep 2006 01:20:42 -0000

Jesus "tapdancing" Christ!!!(expletive deleted)

and thanx

nuff said

Re: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

Dave G. — Fri, 08 Sep 2006 13:44:18 -0000

Nate:

I like that you can simultaneously break crypto and not be able to use a web application with one button :) This is why you need to stop using your c64 for web browsing.

Much love,

Dave G.

Re: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

Nate — Fri, 08 Sep 2006 12:30:43 -0000

... LESS THAN OR EQUAL TO size_bits(n) / 3, means the exponentiation won't wrap. This means it's easy to find a value, s_evil, where the cube root produces a value that matches SHA1(evil).

Re: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

Nate — Fri, 08 Sep 2006 12:27:06 -0000

Uh, great blog comment system.

... size_bits(s)

Re: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

Nate — Fri, 08 Sep 2006 12:22:21 -0000

The math is more straightforward if you think about it differently than most people present it. Instead of:
m = s^e mod n

Think:
m = s * s * s - k * n

This iterative process is actually how modular exponentiation is implemented in computers. Each loop, you multiply by s and occasionally subtract off an n, based on the value of some bits of s. "k" is just an unimportant constant (how many times you subtract off n).

So, the question is "how big is 's'?" Normally, size_bits(s) = size_bits(n), i.e. 2048 commonly. This means that every time you multiply by "s", your accumulator wraps around quite a few times. This makes it hard for an attacker to guess how many times it wrapped, just by observing the final result (discrete log problem). Strict enforcement of padding is intended to keep this property.

But Bleichenbacher's attack (and a similar one we found previously in a shipping product) involves making "s" much smaller than n. If you can make size_bits(s)

Re: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

anonymous — Fri, 08 Sep 2006 02:14:14 -0000

who or what is Google Security?