Hacker News new | past | comments | ask | show | jobs | submit login

I'm confident you were aware of the bug in that paper, David, since it's just the e=3 cube-root attack on unvalidated P1v15 padding.

Are you talking about the broadcast attack? This is on signatures, and it seems different from bleichenbacher's signature forgery.

(But again, haven't read the paper, also don't remember how bb signature forgery works)

(I'll read the paper but right now I'm in Hawaii doing snorkeling)

This is in Cryptopals! You were a Cryptopal! How did you get through that without implementing the e=3 sig attack?

The bug is straightforward: RSA implementations don't verify all the bits in the padding, but rather "parse" it to find the digest, and then verify that. But there are, of course, bajillions of potential padded signature block representations that contain any given digest, since the block is so much bigger than the digest. For e=3, and for particularly naive implementations (like Firefox's, at the time) you can almost literally just formulate the signature block you want, then take its cube root to forge a signature.

Oh right. Thanks for the reminder :)

Sorry to disapoint I did not do all the cryptopals :P filippo actually has a good blogpost on that attack IIRC.

You have, in fact, disappointed me! :|

(There are some set-7 problems I haven't done yet, for whatever that's worth. But e=3 sigs are a big one!)

Alright I will do it :D

Honestly, if you can find a broken implementation (or just write one; do the RSA "decrypt" of the signature block, and then just use a constant offset to get to the digest bytes), you should be able to knock it out just from the description I provided in like, 30 minutes.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact