Variants of Bleichenbacher's Low-Exponent Attack on PKCS#1 RSA Signatures
نویسندگان
چکیده
We give three variants and improvements of Bleichenbacher’s low-exponent attack from CRYPTO 2006 on PKCS#1 v1.5 RSA signatures. For each of these three variants the fake signature representatives are accepted as valid by a flawed implementation. Our attacks work against much shorter keys as Bleichenbacher’s original attack, i.e. even for usual 1024 bit RSA keys. The first two variants can be used to break a certificate chain for vulnerable implementations, if the CA uses a public exponent of 3. Such CA certificates are indeed deployed in many browsers like Mozilla, Opera and Konqueror. The third attack works against the Netscape Security Services only, and requires the public exponent 3 to be present in a site’s certificate, not the CA certificate. Using any of these attack vectors, an active adversary can mount a full man-in-themiddle attack on any SSL connection initiated by a vulnerable client.
منابع مشابه
New Attacks on PKCS#1 v1.5 Encryption
This paper introduces two new attacks on pkcs#1 v1.5, an rsa-based encryption standard proposed by RSA Laboratories. As opposed to Bleichenbacher’s attack, our attacks are chosen-plaintext only, i.e. they do not make use of a decryption oracle. The first attack applies to small public exponents and shows that a plaintext ending by sufficiently many zeroes can be recovered efficiently when two o...
متن کاملRSA Laboratories Bulletin #5
This bulletin describes a recently devised attack on PKCS #1 v1.5, the RSA Encryption Standard [3]. This attack affects only the digital envelope portion of PKCS #1. In the following sections we describe the digital enveloping method in PKCS #1 and the new attack. We also describe a variety of countermeasures that successfully thwart the attack, in particular, we describe the countermeasure to ...
متن کاملI. Fast Variants of RSA
We survey four variants of RSA designed to speed up RSA [12] decryption and signing. We only consider variants that are backwards compatible in the sense that a system using one of these variants can interoperate with systems using standard RSA. 1 . I N T R O D U C T I O N RSA is the most widely deployed public key cryptosystem. It is used for securing web traffic, e-mail, and some wireless dev...
متن کاملDouble Counting in $2^t$-ary RSA Precomputation Reveals the Secret Exponent
A new fault attack, double counting attack (DCA), on the precomputation of 2t-ary modular exponentiation for a classical RSA digital signature (i.e., RSA without the Chinese remainder theorem) is proposed. The 2t-ary method is the most popular and widely used algorithm to speed up the RSA signature process. Developers can realize the fastest signature process by choosing optimum t. For example,...
متن کاملChosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1
This paper introduces a new adaptive chosen ciphertext attack against certain protocols based on RSA. We show that an RSA private-key operation can be performed if the attacker has access to an oracle that, for any chosen ciphertext, returns only one bit telling whether the ciphertext corresponds to some unknown block of data encrypted using PKCS #1. An example of a protocol susceptible to our ...
متن کامل