Attacking the Diebold Signature Variant – RSA Signatures with Unverified High-order Padding
نویسندگان
چکیده
We examine a natural but improper implementation of RSA signature verification deployed on the widely used Diebold Touch Screen and Optical Scan voting machines. In the implemented scheme, the verifier fails to examine a large number of the high-order bits of signature padding and the public exponent is three. We present an very mathematically simple attack that enables an adversary to forge signatures on arbitrary messages in a negligible amount of time.
منابع مشابه
Selective Forgery of RSA Signatures with Fixed-Pattern Padding
We present a practical selective forgery attack against RSA signatures with fixed-pattern padding shorter than two thirds of the modulus length. Our result extends the practical existential forgery of such RSA signatures that was presented at Crypto 2001. For an n-bit modulus the heuristic asymptotic runtime of our forgery is comparable to the time required to factor a modulus of only 9 64n bit...
متن کاملFault Attacks on Randomized RSA Signatures
Fault attacks exploit hardware malfunctions or induce them to recover secret keys embedded in a secure device such as a smart card. In the late 90’s, Boneh, DeMillo and Lipton [6] and other authors introduced fault-based attacks on crt-rsa which allow the attacker to factor the signer’s modulus when the message padding function is deterministic. Since then, extending fault attacks to randomized...
متن کاملAttacking Unbalanced RSA-CRT Using SPA
Efficient implementations of RSA on computationally limited devices, such as smartcards, often use the CRT technique in combination with Garner’s algorithm in order to make the computation of modular exponentiation as fast as possible. At PKC 2001, Novak has proposed to use some information that may be obtained by simple power analysis on the execution of Garner’s algorithm to recover the facto...
متن کاملCryptanalysis of RSA Signatures with Fixed-Pattern Padding
A fixed-pattern padding consists in concatenating to the message m a fixed pattern P . The RSA signature is then obtained by computing (P |m) mod N where d is the private exponent and N the modulus. In Eurocrypt ’97, Girault and Misarsky showed that the size of P must be at least half the size of N (in other words the parameter configurations |P | < |N |/2 are insecure) but the security of RSA ...
متن کاملFrom Fixed-Length to Arbitrary-Length RSA Padding Schemes
A common practice for signing with RSA is to first apply a hash function or a redundancy function to the message, add some padding and exponentiate the resulting padded message using the decryption exponent. This is the basis of several existing standards. In this paper we show how to build a secure padding scheme for signing arbitrarily long messages with a secure padding scheme for fixed-size...
متن کامل