Exponent 3 damage spreads...
Simon Josefsson
jas at extundo.com
Thu Sep 14 04:37:45 EDT 2006
pgut001 at cs.auckland.ac.nz (Peter Gutmann) writes:
> Simon Josefsson <jas at extundo.com> writes:
>
>>The second problem is that the "parameters" field can ALSO be used to store
>>data that may be used to manipulate the signature value into being a cube.
>>To my knowledge, this was discovered by Yutaka Oiwa, Kazukuni Kobara, Hajime
>>Watanabe. I didn't attend Crypto 06, but as far as I understand from Hal's
>>post, this aspect was not discussed. Their analysis isn't public yet, as far
>>as I know.
>
> Can you make a guess at what it is? Is it the fact that you can have NULL
> parameters for algorithms or optionally non-NULL parameters?
Yes. Implementations that didn't validate the parameters field are
potentially vulnerable; the attacker can put garbage in the parameters
field to make the signature value a cube. Look at the certificates I
posted.
> Changing this could be tricky because there are all sorts of
> inconsistencies both in standards and implementations, the standard
> practice has been to skip the parameters field because if you don't,
> things break.
I don't think so. The contents of the parameters field depends on the
hash algorithm. As far as I know (but I didn't read the scriptures),
for normal hashes like SHA-1 the parameters field should not be used.
Checking that it is empty shouldn't be a problem.
Or do you know of real certificates with a non-NULL parameters field
in the signature?
It is important to keep in mind that this only applies to incorrect
implementations that handle keys with e=3. Using Debian's
/etc/ssl/certs/ CA list, which on my system contains around 100 CAs, I
extracted the issuer name of the CAs with e=3:
Issuer: C=US,O=Digital Signature Trust Co.,OU=DSTCA E1
Issuer: C=US,O=Digital Signature Trust Co.,OU=DSTCA E2
Issuer: C=US,O=Entrust.net,OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab.,OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Client Certification Authority
Issuer: C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server Certification Authority
I'm not familiar with DST, so I wonder whether those two are widely
used. https://secure.digsigtrust.com/ doesn't use it.
That leaves two Entrust certificates. At least
https://www.entrust.com/ is protected by the second certificate above,
so it may be in wide use.
/Simon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list