http://matasanochargen.disqus.com/enWed, 13 Sep 2006 19:37:50 -0000http://www.matasano.com/log/487/rsa-signature-forgery-explained-with-nate-lawson-part-ii/#comment-2320515MD5 makes this attack very slightly easier. SHA256 would make it slightly harder (you'd have a harder time sliding a bogus hash into a 1024 bit modulus). But all the engineering you could do with hash functions are for nothing if you don't get signature verification right.Thomas PtacekWed, 13 Sep 2006 19:37:50 -0000http://www.matasano.com/log/487/rsa-signature-forgery-explained-with-nate-lawson-part-ii/#comment-2320514I'd love to hear an explanation for why the people in charge of the TLS standard haven't added any ciphersuites with alternative hashes.<br><br>They add a screwball symmetric algorithm like SEED, yet they can't be bothered to add suites that use SHA-256, SHA-512, Whirlpool, or Tiger, even when there was speculation that SHA-1 would be next to fall when MD5 attacks were announced a couple years ago?tymeWed, 13 Sep 2006 17:07:04 -0000http://www.matasano.com/log/487/rsa-signature-forgery-explained-with-nate-lawson-part-ii/#comment-2320513Silly question, but couldn't the entire thing have been avoided had we<br><br>a) switched to OAEP ?<br>b) implemented OAEP correctly ?<br>c) refused to trust anyone who uses a low exponent ?<br><br>At least, if we trust the random oracle model, we have something relatively strong in our hands (OAEP). I am consistently surprised that the migration away from other, clearly weaker message padding schemes isn't happening more quickly.<br><br>Cheers,<br>HalvarHalvarWed, 13 Sep 2006 16:31:04 -0000