RSA Signature Forgery Explained (with Nate Lawson) - Part I

Thomas Ptacek | September 12th, 2006 | Filed Under: Defenses, Guests, New Findings, Uncategorized

«Previous | Top | Next: Why Public Key Is Hard»

We wrote last week about a new attack on broken RSA implementations.

Recall that an RSA signature has two parts: a hash of the message, and an RSA signature on that hash. Hash and signature are glued together by padding, which transforms a 20 byte hash into the (e.g.) 1024 bit integer RSA needs.

The new attack manipulates that glue to disconnect the hash from the signature. Attackers can generate bogus valid-looking signatures on a hash they control, of any message they want. Result: attackers can forge (among other things) X509 certificates in SSL/TLS and elsewhere.

BIND’s DNSSEC resolver code falls to the same attack as well, causing a great disturbance in the force, as if tens of voices suddenly cried out in terror and were suddenly (if only briefly) silenced. Expect more announcements. OpenSSL is a popular library used by many applications, other RSA implementations likely have similar flaws, and you have to wonder how many embedded systems are also affected.

Time to test your emergency software update procedures.

Tonight we’re kicking off an N-part series. This week, our blog’s cryptographic guardian angel Nate Lawson, of San Francisco security force-of-nature Cryptography Research, is working with us to analyze the flaw, its aftermath, and the lessons we can can learn from it.

Next: Why Public Key Is Hard»