Why the exponent 3 error happened:

Kuehn, Ulrich Ulrich.Kuehn at telekom.de
Thu Nov 9 04:44:31 EST 2006


> From: hal at finney.org [mailto:hal at finney.org] 
> Sent: Sonntag, 17. September 2006 06:01
> For another example of just how badly this kind of thing can 
> be done, look at this code excerpt from Firefox version 
>, which is the fixed version.  There are two PKCS-1 
> parsing functions, one which returns the hash and its prefix, 
> the other of which is given the hash and asked whether it 
> matches the RSA-signed value.  This is from the latter one:
>     /*
>      * check the padding that was used
>      */
>     if (buffer[0] != 0 || buffer[1] != 1)
>         goto loser;
>     for (i = 2; i < modulus_len - hash_len - 1; i++) {
>         if (buffer[i] == 0)
>             break;
>         if (buffer[i] != 0xff)
>             goto loser;
>     }
>     /*
>      * make sure we get the same results
>      */
>     if (PORT_Memcmp(buffer + modulus_len - hash_len, hash, 
> hash_len) != 0)
>         goto loser;
>     PORT_Free(buffer);
>     return SECSuccess;
> Here, buffer holds the result of the RSA exponentiation, of 
> size modulus_len, and we are passed hash of size hash_len to compare.
> I don't think this code is used, fortunately.  It will accept 
> anything of the form 0, 1, 0, garbage, hash.  Just goes to 
> show how easy it is to get this kind of parsing wrong.

Unfortunately, this code _is_ used! It took me quite a while to understand under what circumstances, but here is the result. The problem is fixed as of version (out now). Interestingly, the mozilla people fixed it by themselves in the 2.0 version (and any public beta I could find), but for the 1.5 version it took my bug report...

So here is how the code is used and some hints (I am reluctant to give out the details right now, given that there are still many vulnerable systems out there. However, I am sure you can easily work out the details):

Whenever a SSL or TLS server send a ServerKeyExchange message, the key contained in there is signed with a fresh nonce. This signature is checked using RSA_CheckSign(). 

Faking a signature for a key with a small exponent like 3 is easy. This can be used to break the SSL/TLS authentication.

Better upgrade asap...


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list