[Openswan Users] try_RSA_signature_v2() and PKCS#1 v1.5 Padding
1one.w01f
dev.1one.w01f at gmail.com
Fri Aug 10 16:07:04 EDT 2018
Hi,
My colleagues and I were testing the signature verification implemented
in OpenSWAN v2.6.50, and realized that given an IKEv2 with the
RSASSA-PKCS1-v1_5 signature scheme, the try_RSA_signature_v2() function
doesn't seem to verify that each of the padding bytes is exactly 0xFF
(the padding skip is in verify_signed_hash(), where only the initial
0x00 and BT=0x01, and the end-of-padding 0x00 are being checked).
Given a small enough public exponent (say e=3) and a long enough
modulus, this might open up possibilities for a Bleichenbacher-style
signature forgery. For example, it should be possible to adopt the
attack outlined in Section 5 of [1] to exploit the unchecked padding bytes.
We suspect that this might have implications on the processing of the
AUTH payload, where a potential function call sequence would be like this:
ikev2_verify_rsa_sha1()=>RSA_check_signature_gen()=>take_a_crack()=>try_RSA_signature()
[1] Variants of Bleichenbacher’s Low-Exponent Attack on PKCS#1 RSA
Signatures
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.698.7230
Thanks,
Wolf Smith
More information about the Users
mailing list