CVE-2014-1568, CVE-2006-4339

Daniel Bleichenbacher

The attacker wants to forge a cryptographic signature.

RSA is an algorithm invented in the 70's that makes it possible to do cryptographic encryption, and signing. To use this, someone publishes two values (

For performance reasons, it's very common to use 3 or other small primes as the value of the public exponent

Daniel Bleichenbacher

The attacker wants to forge a cryptographic signature.

RSA is an algorithm invented in the 70's that makes it possible to do cryptographic encryption, and signing. To use this, someone publishes two values (

*e*and*N*) and keeps another value (*d*) secret. To create a signature of a message, one calculates a cryptographic hash of a message which is then transformed to a standardized format (this is called padding) and then exponentiates it to the secret exponent (*d*). The verification operation becomes the exponentiation of the signature to the public exponent (*e*). Both of these operations are followed by dividing the result by*N*, ignoring the quotient, and outputting the remainder. This uses a property of modular exponentiation that allows someone to calculate*d*given*e*and the prime factors of*N*(the security of the system is based on the fact that calculating the prime factors of a large number is thought to be very difficult). Since*e*and*N*are public, signatures can be verified by anyone, and since*d*is secret, only whoever has it is able to create new signatures.For performance reasons, it's very common to use 3 or other small primes as the value of the public exponent

*e*. This, is not supposed to be a problem, but it makes it possible to calculate the exact cubic root of a message with enough control over it's value so that it's also a correctly formatted. This means that without having to calculate*d*, an attacker could calculate a number that looks like a signature of a message because the cube of that number would look like a correctly formatted hash. This abuses the fact that implementations of signature verification are often very lax and forgiving by accepting values that are incorrectly formatted.