[44167] in cryptography@c2.net mail archive
RE: Why the exponent 3 error happened:
daemon@ATHENA.MIT.EDU (Kuehn, Ulrich)
Mon Sep 18 07:32:05 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Kuehn, Ulrich" <Ulrich.Kuehn@telekom.de>
To: hal@finney.org
Cc: cryptography@metzdowd.com
Date: Mon, 18 Sep 2006 12:17:37 +0200
I noticed the exact same code being present in the mozilla 1.7.13 source ... I wonder what the correct consequence would be? Have us crypto people proof-read all relevant source code? Better educate developers?
Interestingly the attacker's playground between the 0, 1, 0 and the hash gets bigger with larger key sizes, so I wonder if attacks get easier for longer keys...
Cheers,
Ulrich
> From: hal@finney.org [mailto:hal@finney.org]
>
> For another example of just how badly this kind of thing can
> be done, look at this code excerpt from Firefox version
> 1.5.0.7, which is the fixed version. There are two PKCS-1
> parsing functions, one which returns the hash and its prefix,
> the other of which is given the hash and asked whether it
> matches the RSA-signed value. This is from the latter one:
>
> /*
> * check the padding that was used
> */
> if (buffer[0] != 0 || buffer[1] != 1)
> goto loser;
> for (i = 2; i < modulus_len - hash_len - 1; i++) {
> if (buffer[i] == 0)
> break;
> if (buffer[i] != 0xff)
> goto loser;
> }
>
> /*
> * make sure we get the same results
> */
> if (PORT_Memcmp(buffer + modulus_len - hash_len, hash,
> hash_len) != 0)
> goto loser;
>
> PORT_Free(buffer);
> return SECSuccess;
>
> Here, buffer holds the result of the RSA exponentiation, of
> size modulus_len, and we are passed hash of size hash_len to compare.
>
> I don't think this code is used, fortunately. It will accept
> anything of the form 0, 1, 0, garbage, hash. Just goes to
> show how easy it is to get this kind of parsing wrong.
>
> (Note, this is from
> mozilla/security/nss/lib/softoken/rsawrapr.c:RSA_CheckSign())
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com