Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
[Crypto in CTF] Bleichenbacher RSA Signature Forgery
Search
oalieno
October 31, 2020
Technology
0
410
[Crypto in CTF] Bleichenbacher RSA Signature Forgery
https://github.com/oalieno/Crypto-Course/tree/master/RSA
oalieno
October 31, 2020
Tweet
Share
More Decks by oalieno
See All by oalieno
[Crypto in CTF] Classical Cipher
oalieno
0
280
[Crypto in CTF] Block Cipher Mode
oalieno
0
820
[Crypto in CTF] HASH
oalieno
0
160
[Crypto in CTF] LFSR
oalieno
0
370
[Crypto in CTF] RSA
oalieno
0
560
[Crypto in CTF] Blockchain Security
oalieno
0
340
滲透測試基本技巧與經驗分享
oalieno
2
900
Other Decks in Technology
See All in Technology
QAエンジニアが伝えたい品質保証の羅針盤 / Compass for Quality Assurance
mii3king
1
200
しくじり先生、PharmaXのLLMアプリケーション開発の失敗を語る
pharma_x_tech
0
140
AWS学習者向けにAzureの解説スライドを作成した話
handy
3
220
【NW X Security JAWS#3】L3-4:AWS環境のIPv6移行に向けて知っておきたいこと
shotashiratori
1
730
NewSQL Landscape
oracle4engineer
PRO
2
2.7k
Cloudflare WorkersがPythonに対応したので試してみた
miura55
0
100
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
1.1k
Documentação de Produtos: Artefatos essenciais na prática
rigolon
1
230
.NET Profiler in 2024.
kkamegawa
2
2.6k
高専で制御を、大学でセンシングを学び、次は脳みそ
satoshirobatofujimoto
0
120
生成AIの変革の時代に、直近1年で直面した課題とその解決策
ktc_wada
1
800
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
1.8k
Featured
See All Featured
Producing Creativity
orderedlist
PRO
338
39k
The Cost Of JavaScript in 2023
addyosmani
21
3.9k
GitHub's CSS Performance
jonrohan
1025
450k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
34
6.1k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Writing Fast Ruby
sferik
622
60k
Optimizing for Happiness
mojombo
370
69k
Why Our Code Smells
bkeepers
PRO
331
56k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
228
16k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
Agile that works and the tools we love
rasmusluckow
325
20k
Transcript
Bleichenbacher RSA Signature Forgery ( 2006 ) oalieno
PKCS
PKCS • PKCS ( Public Key Cryptography Standards ) 是公鑰密碼標準
• 制定了了⼀一系列列從 PKCS#1 到 PKCS#15 的標準 • 其中 PKCS#1 是 RSA Cryptography Standard
ASN.1 • ASN.1 是⾼高階的抽象標準 • 具體的實作編碼規則有 : BER, CER, DER,
PER, XER
PKCS#1 1.5 Signature https://tools.ietf.org/html/rfc2313 Step 1 : Message Digest M
H(M) HASH Sign
• ASN.1 是編碼數據的格式,這裡紀錄了了使⽤用的 hash 演算法 H(M) ASN.1 01 FF …
00 FF D = 00 padding Step 2 : Data Encoding Sign PKCS#1 1.5 Signature https://tools.ietf.org/html/rfc2313
Step 3 : RSA encryption D d % n =
S Sign PKCS#1 1.5 Signature https://tools.ietf.org/html/rfc2313
Step 1 : RSA decryption Verify S e % n
= D PKCS#1 1.5 Signature https://tools.ietf.org/html/rfc2313
Step 2 : Data Decoding Verify • 需要 parse 這個格式取出
H(M) • 這個標準沒有說要怎麼 parse • 如果 e 太⼩小且沒有正確的 parse,就有機會偽造簽章 H(M) ASN.1 01 FF … 00 FF D = 00 PKCS#1 1.5 Signature https://tools.ietf.org/html/rfc2313
Step 3 : Message digesting and comparison M' H(M)' H(M)
Verify compare PKCS#1 1.5 Signature https://tools.ietf.org/html/rfc2313
Bleichenbacher RSA Signature Forgery ( 2006 )
Bleichenbacher RSA Signature Forgery ( 2006 ) https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE • ⼜又稱作
BB06 • 針對 PKCS#1 1.5 ( RFC 2313 ) • RSA 簽章偽造 06
Bleichenbacher RSA Signature Forgery ( 2006 ) https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE • 實作缺陷
: 可以有多餘的字元在後⾯面 • parse 的時候直接取出後⾯面固定長度的 H(M) • 沒有檢查後⾯面還有沒有東⻄西 H(M) ASN.1 01 FF … 00 FF 00 Garbage
• 在 e = 3 的情況下可以 forge signature • 嘗試構造
ED 讓 ED 的三次⽅方不超過 n 且滿⾜足以下格式 S 3 % n = H(M) ASN.1 01 FF … 00 FF 00 Garbage Bleichenbacher RSA Signature Forgery ( 2006 ) https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE
H(M) ASN.1 01 FF … 00 FF Garbage 00 D
( length d ) G ( length g ) 2t−15 G + total length t (x + y)3 x3 3x2y + 2g ⋅ D + −2d+g 3xy2 y3 + + = Bleichenbacher RSA Signature Forgery ( 2006 ) https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE
x = 2t − 15 3 y = (D −
2d) ⋅ 2g 3 ⋅ 22(t − 15) 3 Bleichenbacher RSA Signature Forgery ( 2006 ) https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE
x = 21019 y = (D − 2288) ⋅ 234
3 • 假設 • Key 長度為 3072 bit • Garbage 長度為 2072 bit • 使⽤用 SHA-1 的話,D 的長度是 288 bit • 最後 ED = x + y 就是我們構造出的合法簽章 Bleichenbacher RSA Signature Forgery ( 2006 ) https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE
RSA Signature Forgery in python-rsa ( 2016 ) CVE-2016-1494
RSA Signature Forgery in python-rsa ( 2016 ) https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/ •
實作缺陷 : padding bytes 可以是任意字元 直接取第⼆二個 0x00 沒有檢查中間的 padding bytes
• 在 e = 3 的情況下可以 forge signature • 嘗試構造
ED 讓 ED 的三次⽅方不超過 n 且滿⾜足以下格式 • ED3 的後綴是 ASN.1 + H(M) • ED3 的前綴是 \x00\x01 H(M) ASN.1 01 ?? … 00 ?? 00 S 3 % n = RSA Signature Forgery in python-rsa ( 2016 ) https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/
0 S S3 ⽬目標 0 0 1 0 0 0
1 1 1 0 1 match RSA Signature Forgery in python-rsa ( 2016 ) https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/
0 S S3 ⽬目標 0 0 1 0 0 0
1 1 1 0 1 match RSA Signature Forgery in python-rsa ( 2016 ) https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/
0 S S3 ⽬目標 0 0 1 0 0 0
1 1 1 0 1 mismatch RSA Signature Forgery in python-rsa ( 2016 ) https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/
0 S S3 ⽬目標 1 0 1 1 1 0
1 1 1 0 1 match RSA Signature Forgery in python-rsa ( 2016 ) https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/
0 S S3 ⽬目標 1 0 1 1 1 0
1 1 1 0 1 match RSA Signature Forgery in python-rsa ( 2016 ) https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/
0 S S3 ⽬目標 1 0 1 1 1 0
1 1 1 0 1 01013 = 1111101 RSA Signature Forgery in python-rsa ( 2016 ) https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/
01 … … 00 3 = 92 3f … 68
04 bc 28 76 e4 50 … = 3 • 要讓 ED3 的前綴是 \x00\x01 只要把 \x00\x01... 開三次⽅方 • 最後再把開完三次⽅方的值的後綴換成前⾯面算出來來的後綴 • 就可以成功⾃自⼰己構造合法簽章了了 RSA Signature Forgery in python-rsa ( 2016 ) https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/
H(M) ASN.1 01 ?? … 00 ?? 00 92 3f
… bc 28 3 = RSA Signature Forgery in python-rsa ( 2016 ) https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/
A Decade After Bleichenbacher '06, RSA Signature Forgery Still Works
( 2019 )
A Decade After Bleichenbacher '06, RSA Signature Forgery Still Works
( 2019 ) https://i.blackhat.com/USA-19/Wednesday/us-19-Chau-A-Decade-After-Bleichenbacher-06-RSA-Signature-Forgery-Still-Works.pdf • 整個格式固定是 n 這麼長 • ⽤用 Symbolic Execution 去找到可以任意亂塞的部分有多長
A Decade After Bleichenbacher '06, RSA Signature Forgery Still Works
( 2019 ) https://i.blackhat.com/USA-19/Wednesday/us-19-Chau-A-Decade-After-Bleichenbacher-06-RSA-Signature-Forgery-Still-Works.pdf • 實作缺陷 : padding bytes 可以是任意字元 H(M) ASN.1 01 ?? … 00 ?? 00 CVE-2018-15836 Openswan 2.6.50
CVE-2018-16152 strongSwan 5.6.3 A Decade After Bleichenbacher '06, RSA Signature
Forgery Still Works ( 2019 ) https://i.blackhat.com/USA-19/Wednesday/us-19-Chau-A-Decade-After-Bleichenbacher-06-RSA-Signature-Forgery-Still-Works.pdf • 實作缺陷 : • Algorithm Parameter 可以是任意字元 • Algorithm OID 後⾯面可以有多餘的字元 H(M) 01 FF … 00 FF 00 ASN.1 00 03 20 03 0c Algorithm Parameter 04 10 Algorithm OID
CVE-2018-16150 axTLS 2.1.3 A Decade After Bleichenbacher '06, RSA Signature
Forgery Still Works ( 2019 ) https://i.blackhat.com/USA-19/Wednesday/us-19-Chau-A-Decade-After-Bleichenbacher-06-RSA-Signature-Forgery-Still-Works.pdf • 實作缺陷 : • 可以有多餘的字元在後⾯面 • Algorithm Identifier 可以是任意字元 H(M) 01 FF … 00 FF 00 ASN.1 00 03 20 03 0c Algorithm Identifier 04 10 Garbage
Defense against RSA Signature Forgery
How to defense? • ⽤用其他的簽章演算法,比如說 ECDSA • ⽤用更更⼤大的 e,比如 65537
• parsing based → comparison based H(M) ASN.1 01 FF … 00 FF 00 H(M) ASN.1 01 FF … 00 FF 00 compare