[17510] in cryptography@c2.net mail archive


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

RSA signatures without padding

daemon@ATHENA.MIT.EDU (Florian Weimer)
Mon Jun 20 12:31:05 2005

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Florian Weimer <fw@deneb.enyo.de>
To: cryptography@metzdowd.com
Date: Mon, 20 Jun 2005 17:58:07 +0200

I came across an application which uses RSA signatures on plain MD5
hashes, without padding (the more significant bits are all zero).
Even worse, the application doesn't check if the padding bits are
actually zero during signature verification.  The downside is that the
encryption exponent is fairly large, compared to the modules (27 vs
1024 bits). A few hundred signed messages have been published so far.

What do you think?  Are attacks against this application feasible?
(It should be corrected, of course, but it's not clear if a
high-priority update is needed.)

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[17510] in cryptography@c2.net mail archive

RSA signatures without padding

daemon@ATHENA.MIT.EDU (Florian Weimer)Mon Jun 20 12:31:05 2005

daemon@ATHENA.MIT.EDU (Florian Weimer)
Mon Jun 20 12:31:05 2005