Why the exponent 3 error happened:
Kuehn, Ulrich
Ulrich.Kuehn at telekom.de
Mon Sep 18 06:17:37 EDT 2006
I noticed the exact same code being present in the mozilla 1.7.13 source ... I wonder what the correct consequence would be? Have us crypto people proof-read all relevant source code? Better educate developers?
Interestingly the attacker's playground between the 0, 1, 0 and the hash gets bigger with larger key sizes, so I wonder if attacks get easier for longer keys...
Cheers,
Ulrich
> From: hal at finney.org [mailto:hal at finney.org]
>
> For another example of just how badly this kind of thing can
> be done, look at this code excerpt from Firefox version
> 1.5.0.7, which is the fixed version. There are two PKCS-1
> parsing functions, one which returns the hash and its prefix,
> the other of which is given the hash and asked whether it
> matches the RSA-signed value. This is from the latter one:
>
> /*
> * check the padding that was used
> */
> if (buffer[0] != 0 || buffer[1] != 1)
> goto loser;
> for (i = 2; i < modulus_len - hash_len - 1; i++) {
> if (buffer[i] == 0)
> break;
> if (buffer[i] != 0xff)
> goto loser;
> }
>
> /*
> * make sure we get the same results
> */
> if (PORT_Memcmp(buffer + modulus_len - hash_len, hash,
> hash_len) != 0)
> goto loser;
>
> PORT_Free(buffer);
> return SECSuccess;
>
> Here, buffer holds the result of the RSA exponentiation, of
> size modulus_len, and we are passed hash of size hash_len to compare.
>
> I don't think this code is used, fortunately. It will accept
> anything of the form 0, 1, 0, garbage, hash. Just goes to
> show how easy it is to get this kind of parsing wrong.
>
> (Note, this is from
> mozilla/security/nss/lib/softoken/rsawrapr.c:RSA_CheckSign())
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list