BERserk: New RSA signature forgery attack presented at ekoparty 2014

by Yuriy Bulygin,

Summary : We will describe a new class of implementations vulnerabilities in PKCS#1 v1.5 RSA signature verification enabling signature forgery attack. The attack exploits vulnerabilities in the parsing of ASN.1 encoded sequences during RSA signature verification. It is similar to the signature forgery attack against PKCS#1 v1.5 RSA signatures with low public exponents originally discovered by Daniel Bleichenbacher in 2006. Due to an incorrect check on signature padding, this attack allows for RSA signatures to be successfully forged without knowledge of the corresponding private key. As a result, attackers are able to “man-in-the-middle” connections that are assumed to be secure allowing them to monitor and intercept transmitted data. We will demonstrate successful forgery of SSL/TLS certificates using the vulnerability in Mozilla NSS library.