RSA signatures without padding
Florian Weimer
fw at deneb.enyo.de
Mon Jun 20 11:58:07 EDT 2005
I came across an application which uses RSA signatures on plain MD5
hashes, without padding (the more significant bits are all zero).
Even worse, the application doesn't check if the padding bits are
actually zero during signature verification. The downside is that the
encryption exponent is fairly large, compared to the modules (27 vs
1024 bits). A few hundred signed messages have been published so far.
What do you think? Are attacks against this application feasible?
(It should be corrected, of course, but it's not clear if a
high-priority update is needed.)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list