Why the exponent 3 error happened:

Kuehn, Ulrich Ulrich.Kuehn at telekom.de
Mon Sep 18 06:17:37 EDT 2006


I noticed the exact same code being present in the mozilla 1.7.13 source ... I wonder what the correct consequence would be? Have us crypto people proof-read all relevant source code? Better educate developers?

Interestingly the attacker's playground between the 0, 1, 0 and the hash gets bigger with larger key sizes, so I wonder if attacks get easier for longer keys...

Cheers,
Ulrich

> From: hal at finney.org [mailto:hal at finney.org] 
> 
> For another example of just how badly this kind of thing can 
> be done, look at this code excerpt from Firefox version 
> 1.5.0.7, which is the fixed version.  There are two PKCS-1 
> parsing functions, one which returns the hash and its prefix, 
> the other of which is given the hash and asked whether it 
> matches the RSA-signed value.  This is from the latter one:
> 
>     /*
>      * check the padding that was used
>      */
>     if (buffer[0] != 0 || buffer[1] != 1)
>         goto loser;
>     for (i = 2; i < modulus_len - hash_len - 1; i++) {
>         if (buffer[i] == 0)
>             break;
>         if (buffer[i] != 0xff)
>             goto loser;
>     }
> 
>     /*
>      * make sure we get the same results
>      */
>     if (PORT_Memcmp(buffer + modulus_len - hash_len, hash, 
> hash_len) != 0)
>         goto loser;
> 
>     PORT_Free(buffer);
>     return SECSuccess;
> 
> Here, buffer holds the result of the RSA exponentiation, of 
> size modulus_len, and we are passed hash of size hash_len to compare.
> 
> I don't think this code is used, fortunately.  It will accept 
> anything of the form 0, 1, 0, garbage, hash.  Just goes to 
> show how easy it is to get this kind of parsing wrong.
> 
> (Note, this is from 
> mozilla/security/nss/lib/softoken/rsawrapr.c:RSA_CheckSign())
> 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list