[Openswan Users] try_RSA_signature_v2() and PKCS#1 v1.5 Padding

1one.w01f dev.1one.w01f at gmail.com
Fri Aug 10 16:07:04 EDT 2018


My colleagues and I were testing the signature verification implemented
in OpenSWAN v2.6.50, and realized that given an IKEv2 with the
RSASSA-PKCS1-v1_5 signature scheme, the try_RSA_signature_v2() function
doesn't seem to verify that each of the padding bytes is exactly 0xFF
(the padding skip is in verify_signed_hash(), where only the initial
0x00 and BT=0x01, and the end-of-padding 0x00 are being checked).

Given a small enough public exponent (say e=3) and a long enough
modulus, this might open up possibilities for a Bleichenbacher-style
signature forgery. For example, it should be possible to adopt the
attack outlined in Section 5 of [1] to exploit the unchecked padding bytes.

We suspect that this might have implications on the processing of the
AUTH payload, where a potential function call sequence would be like this:

[1] Variants of Bleichenbacher’s Low-Exponent Attack on PKCS#1 RSA

Wolf Smith

More information about the Users mailing list