This paper presents a new signature forgery strategy.The attack is a sophisticated variant of Desmedt-Odlyzko’s method  where the attacker obtains the signatures of m1, ..., mτ−1 and exhibits the signature of an mτ which was never submitted to the signer; we assume that all messages are padded by a redundancy function µ before being signed.Before interacting with the signer, the attacker selects µ smooth1µ(mi)-values and expresses µ(mτ) as amultiplicative combination of the padded strings µ(m1), ..., µ(mτ−1). The signature of mτ is then forged using the homomorphic property of RSA.For din ni-17.4, pkcs #1 v2.0 and ssl-3.02, the attack is only theoretical since it only applies to specific moduli and happens to be less efficient than factoring; therefore, the attack does not endanger any of these standards.
Weitere Kapitel dieses Buchs durch Wischen aufrufen
- On the Security of RSA Padding
Julien P. Stern
- Springer Berlin Heidelberg
Neuer Inhalt/© ITandMEDIA