RSA/SSL Signature Forgery -- Guy Macon

Some commonly used implementations using RSA it have been shown to have weaknesses.

| | From [

]: | | OpenSSL Security Advisory [5th September 2006] | | RSA Signature Forgery (CVE-2006-4339) | ===================================== | | Vulnerability | ------------- | | Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5 | signatures. If an RSA key with exponent 3 is used it may be possible | to forge a PKCS #1 v1.5 signature signed by that key. Implementations | may incorrectly verify the certificate if they are not checking for | excess data in the RSA exponentiation result of the signature. | | Since there are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is | used in X.509 certificates, all software that uses OpenSSL to verify | X.509 certificates is potentially vulnerable, as well as any other use | of PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or | TLS. | | OpenSSL versions up to 0.9.7j and 0.9.8b are affected. | | The Common Vulnerabilities and Exposures project (cve.mitre.org) has | assigned the name CAN-2006-4339 to this issue. |

Also see:

Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere

RSA Signature Forgery Explained (with Nate Lawson)

Bleichenbacher's RSA signature forgery based on implementation error

Mozilla Foundation Security Advisory 2006-60: RSA Signature Forgery

Mozilla Foundation Security Advisory 2006-66: RSA Signature Forgery (variant)

Mozilla Falls To RSA Forgery Attack

A forged SSL server certificate can be accepted by Opera as a valid certificate

GNUTLS PKCS RSA Signature Forgery Vulnerability

Widespread Diffie-Hellman Implementation Weakness: Conspiracy or Ignorance?

Fun with Exponents: Certificate Forgery

[gnutls-dev] Original analysis of signature forgery problem

The Pwnie Awards

--
Guy Macon  Guy Macon 
Guy Macon  Guy Macon 
Guy Macon  Guy Macon 
Guy Macon  Guy Macon