# Variants of Bleichenbacher's Low-Exponent Attack on PKCS#1 RSA Signatures

@inproceedings{Khn2008VariantsOB, title={Variants of Bleichenbacher's Low-Exponent Attack on PKCS\#1 RSA Signatures}, author={Ulrich K{\"u}hn and Andrei Pyshkin and Erik Tews and Ralf-Philipp Weinmann}, booktitle={Sicherheit}, year={2008} }

We give three variants and improvements of Bleichenbacher’s low-exponent attack from CRYPTO 2006 on PKCS#1 v1.5 RSA signatures. For each of these three variants the fake signature representatives are accepted as valid by a flawed implementation. Our attacks work against much shorter keys as Bleichenbacher’s original attack, i.e. even for usual 1024 bit RSA keys. The first two variants can be used to break a certificate chain for vulnerable implementations, if the CA uses a public exponent of 3…

## 11 Citations

### On the security of authentication protocols on the web. (La sécurité des protocoles d'authentification sur leWeb)

- Computer Science
- 2016

New tools and methods are developed that can serve as the foundation towards an extensive compositional Web security analysis framework that could be used to implement and formally verify applications against a reasonably extensive model of attacker capabilities on the Web.

### Breaking Mobile Firmware Encryption through Near-Field Side-Channel Analysis

- Computer ScienceASHES@CCS
- 2019

This paper describes how a secret AES key was retrieved from the hardware cryptoprocessor of a smartphone as part of an attack scenario targeting the bootloader decryption.

### Analyzing Semantic Correctness with Symbolic Execution: A Case Study on PKCS#1 v1.5 Signature Verification

- Computer ScienceNDSS
- 2019

It is discussed how symbolic execution can be used to not only find low-level errors but also analyze the semantic correctness of protocol implementations, and a strategy of meta-level search is proposed, which leverages constraints stemmed from the input formats to automatically generate concolic test cases.

### Web PKI: Closing the Gap between Guidelines and Practices

- Computer ScienceNDSS
- 2014

This work evaluates the actual level of adherence to the CA/Browser Forum guidelines over time, as well as the impact of each violation, by inspecting a large collection of certificates gathered from Web crawls and automatically deriving profile templates that characterize the makeup of certificates per issuer.

### Internet Engineering Task Force (ietf)

- Computer Science
- 2010

This document generalizes IKEv2 signature support to allow any signature method supported by PKIX and also adds signature hash algorithm negotiation, a generic mechanism that can also be used with other signature algorithms.

### ASN1 ★ : Provably Correct Non-Malleable Parsing for ASN.1 DER

- Computer Science
- 2022

This work presents ASN1 ★, the first formalization of ASN.1 DER with a mechanized proof of non-malleability, and provides a shallow embedding of AS.1.1 with a serious security challenge in practice.

### MEFORMA Security Evaluation Methodology - A Case Study

- Computer SciencePECCS
- 2014

The challenge of security testing is tackled, and the methodology for evaluating the security of IT products – MEFORMA was specifically created as a framework for commercial security evaluations, and has already been proven in more than 50 projects over twelve years.

### THE PURDUE UNIVERSITY GRADUATE SCHOOL STATEMENT OF DISSERTATION APPROVAL

- Computer Science
- 2017

This thesis considers statistical steganalysis of images in two different frameworks, first study staganalysis in the framework of statistical hypothesis testing, and proposes a hiding scheme using a reference matrix to lower the distortion caused by embedding.

### On Re-engineering the X.509 PKI with Executable Specification for Better Implementation Guarantees

- Computer ScienceCCS
- 2021

This paper re-engineering and formalizing a widely used fragment of the X.509 standard specification, and then using it to develop a high-assurance implementation of CERES, an executable specification that can be efficiently enforced by an SMT solver.

### Morpheus: Bringing The (PKCS) One To Meet the Oracle

- Computer ScienceCCS
- 2021

This paper has used Morpheus to test 45 implementations of PKCS#1-v1.5 signature verification and discovered that 6 of them are susceptible to variants of the Bleichenbacher-style low public exponent RSA signature forgery attack, 1 implementation has a buffer overflow, 33 implementations have incompatibility issues, and 8 implementations have minor leniencies.

## References

SHOWING 1-10 OF 15 REFERENCES

### TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM

- Computer Science, Mathematics
- 1999

A simplified version of RSA encryption is described and a malicious attacker wishing to eavesdrop or tamper with the communication between Alice and Bob is used, to illustrate the dangers of improper use of RSA.

### Collision-Resistant Hashing: Towards Making UOWHFs Practical

- Computer Science, MathematicsCRYPTO
- 1997

The classic Merkle-Damgard method used in the standard setting fails for these weaker kinds of hash functions, and the main construction is the XOR tree, which considers the problem of input length-variability and presents a general solution.

### PKCS # 1 : RSA Encryption Standard

- Computer Science
- 1991

This standard describes a method for encrypting data using the RSA public-key cryp-tosystem in the construction of digital signatures and digital envelopes, and describes a syntax for RSA public keys and private keys.

### RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)

- BiologyRFC
- 2001

This document describes how to produce RSA/SHA1 SIG resource records (RRs) in Section 3 and, so as to completely replace RFC 2537, describes how to produce RSA KEY RRs in Section 2.

### Bleichenbacher's RSA signature forgery based on implementation error. Post to the IETF OpenPGP mailing list

- Bleichenbacher's RSA signature forgery based on implementation error. Post to the IETF OpenPGP mailing list
- 2006

### PKCS #1: RSA Cryptography Specifications Version 2.1. RFC 3447

- PKCS #1: RSA Cryptography Specifications Version 2.1. RFC 3447
- 2003

### Here we describe how some of the major affected implementations were fixed regarding the attacks described in this paper

- Here we describe how some of the major affected implementations were fixed regarding the attacks described in this paper

### Re: Why the exponent 3 error happened. Post to cryptography mailing list

- Re: Why the exponent 3 error happened. Post to cryptography mailing list
- 2006

### GNUTLS-SA-2006-4 vulnerability report. Post to the gnutls-dev mailing list

- GNUTLS-SA-2006-4 vulnerability report. Post to the gnutls-dev mailing list
- 2006

### Bleichenbacher’s RSA signature forgery based on implementation error

- Post to the IETF OpenPGP mailing list, August
- 2006