A new variant for an attack against RSA signature verification using parameter field

Abstract

We present a method to create a forged signature which will be verified to a syntactically well-formed ASN.1 datum, when certificate authorities use small RSA public exponents such as 3. Our attack is related to the technique which Daniel Bleichenbacher reported recently, but our forged signature is well-formed ASN. 1 datum, unlike Bleichenbacher's original attack: thus our new attack is still applicable to certain implementations even if these are immune to the Bleichenbacher's attack. We have also analyzed the parameters which enable our attack and Bleichenbacher's, and found that both attacks are possible with the combination of existing public keys of widely-trusted certificate authorities and existing real-world implementations. We have already reported the vulnerability to developers of both GNUTLS and Mozilla NSS to fix their implementations. © Springer-Verlag Berlin Heidelberg 2007.