Both OpenSSL and BouncyCastle have announced fixes related to a vulnerability recently found in PKCS #1 v1.5 signatures.
http://www.matasano.com/log/469/many-rsa-signatures-may-be-forgeable-in-openssl-and-elsewhere/
http://www.openssl.org/news/secadv_20060905.txt
Do current versions jsse/jce have this issue? And if so what is being done to address it?
G
> Both OpenSSL and BouncyCastle have announced fixes
> related to a vulnerability recently found in PKCS #1
> v1.5 signatures.
>
> http://www.matasano.com/log/469/many-rsa-signatures-ma
> y-be-forgeable-in-openssl-and-elsewhere/
>
> http://www.openssl.org/news/secadv_20060905.txt
>
> Do current versions jsse/jce have this issue? And if
> so what is being done to address it?
>
> G
Yes, Suns JCE is vulnerable to this attack. You can for example verify this yourself:
Generate a 3072 bit RSA public key with public exponent e=3.
Use the message:
Welcome to Crypto 06
The SHA-1 hash of this message is
132930072fd147c44e4df2289206ba472f53d855
You can verify that Suns JCE accepts the signature
07ffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffff
fffffffffffffffeaaead6eab6b2b18e
bd595822b1555ac56ee1955eea6c5fb0
6867ed8b6d5e4db43f1a75c7ffffffff
for this message.
I'm currently using JDK 1.5 for my tests.
I'm not aware of patches.
Daniel Bleichenbacher