This repository has been archived by the owner on Mar 25, 2024. It is now read-only.
RSA PKCS#1 v1.5 signature scheme verification incompatibility issue #91
Comments
|
Hello Daniel,
Nice catch, but wow that is an obscure one.
Basically the SHA256 identifier string in your I octet could be either
302f300b06096086480165030402010420 (yours)
or
3031300d0609608648016503040201*0500*0420 (ours)
and
I =
0x0001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00
*302f300b060960864801650304020
1*04207509e5bda0c762d2bac7f90d758b5b2263fa01ccbc542ab5e3df163be08e6ca9
or
I =
0x0001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00
*3031300d0609608648016503005004020
1*04207509e5bda0c762d2bac7f90d758b5b2263fa01ccbc542ab5e3df163be08e6ca9
So in effect there are 2 PKCS1.5 representations, and when verifying both
must be considered. I guess the solution is to reconstruct both forms and
perform both comparisons before rejecting a signature.
Mike
…On Thu, Apr 1, 2021 at 6:59 AM Daniel Yahyazadeh ***@***.***> wrote:
I was testing PKCS#1 v1.5 signature verification as implemented in
milagro-crypto and noticed it rejects valid signature whose encoded message
uses an implicit NULL parameter for hash algorithm (where digestAlgorithm
ANS.1 der encoded does not have NULL parameter TLV; that is, 0x0500 is
absent).
According to RFC4055, pg.5 <https://tools.ietf.org/html/rfc4055> and RFC8017,
pg. 64 <https://tools.ietf.org/html/rfc8017>, for SHA-1, and the SHA-2
family, the algorithm parameter has to be NULL and both explicit NULL
parameter and implicit NULL parameter (ie, absent NULL parameter) are
considered to be legal and equivalent. However, this implementation does
not accept a valid PKCS input with implicit NULL parameter.
*Reference notation and concrete values*
- N: public modulus
- |N|: length of public modulus
- d: private exponent
- e: public exponent
- H: hash function
- m: message
- I: to-be-singed RSA PKCS#1 v1.5 signature scheme input structure
- S: signature value obtained by I^d mod N
N = 0xE932AC92252F585B3A80A4DD76A897C8B7652952FE788F6EC8DD640587A1EE5647670A8AD4C2BE0F9FA6E49C605ADF77B5174230AF7BD50E5D6D6D6D28CCF0A886A514CC72E51D209CC772A52EF419F6A953F3135929588EBE9B351FCA61CED78F346FE00DBB6306E5C2A4C6DFC3779AF85AB417371CF34D8387B9B30AE46D7A5FF5A655B8D8455F1B94AE736989D60A6F2FD5CADBFFBD504C5A756A2E6BB5CECC13BCA7503F6DF8B52ACE5C410997E98809DB4DC30D943DE4E812A47553DCE54844A78E36401D13F77DC650619FED88D8B3926E3D8E319C80C744779AC5D6ABE252896950917476ECE5E8FC27D5F053D6018D91B502C4787558A002B9283DA7
|N| = 256 bytes
d = 0x009b771db6c374e59227006de8f9c5ba85cf98c63754505f9f30939803afc1498eda44b1b1e32c7eb51519edbd9591ea4fce0f8175ca528e09939e48f37088a07059c36332f74368c06884f718c9f8114f1b8d4cb790c63b09d46778bfdc41348fb4cd9feab3d24204992c6dd9ea824fbca591cd64cf68a233ad0526775c9848fafa31528177e1f8df9181a8b945081106fd58bd3d73799b229575c4f3b29101a03ee1f05472b3615784d9244ce0ed639c77e8e212ab52abddf4a928224b6b6f74b7114786dd6071bd9113d7870c6b52c0bc8b9c102cfe321dac357e030ed6c580040ca41c13d6b4967811807ef2a225983ea9f88d67faa42620f42a4f5bdbe03b
e = 3
H = SHA-256 (OID = 0x608648016503040201)
m = "hello world!"
I = 0x0001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00302f300b060960864801650304020104207509e5bda0c762d2bac7f90d758b5b2263fa01ccbc542ab5e3df163be08e6ca9
S = 0xa0073057133ff3758e7e111b4d7441f1d8cbe4b2dd5ee4316a14264290dee5ed7f175716639bd9bb43a14e4f9fcb9e84dedd35e2205caac04828b2c053f68176d971ea88534dd2eeec903043c3469fc69c206b2a8694fd262488441ed8852280c3d4994e9d42bd1d575c7024095f1a20665925c2175e089c0d731471f6cc145404edf5559fd2276e45e448086f71c78d0cc6628fad394a34e51e8c10bc39bfe09ed2f5f742cc68bee899d0a41e4c75b7b80afd1c321d89ccd9fe8197c44624d91cc935dfa48de3c201099b5b417be748aef29248527e8bbb173cab76b48478d4177b338fe1f1244e64d7d23f07add560d5ad50b68d6649a49d7bc3db686daaa7
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#91>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAU3ZDQTYJ56OGFQO4BIX3TTGQDUPANCNFSM42GLMSRQ>
.
|
|
Hi Mike, Yes, this exactly what needs to happen if you do the construction-based (i.e., encoding-based) signature verification. Thank you, |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I was testing PKCS#1 v1.5 signature verification as implemented in milagro-crypto and noticed it rejects valid signature whose encoded message uses an implicit NULL parameter for hash algorithm (where digestAlgorithm ANS.1 der encoded does not have NULL parameter TLV; that is,
0x0500is absent).According to RFC4055, pg.5 and RFC8017, pg. 64, for SHA-1, and the SHA-2 family, the algorithm parameter has to be NULL and both explicit NULL parameter and implicit NULL parameter (ie, absent NULL parameter) are considered to be legal and equivalent. However, this implementation does not accept a valid PKCS input with implicit NULL parameter.
Reference notation and concrete values
N: public modulus|N|: length of public modulusd: private exponente: public exponentH: hash functionm: messageI: to-be-singed RSA PKCS#1 v1.5 signature scheme input structureS: signature value obtained byI^d mod NThe text was updated successfully, but these errors were encountered: