2

I'm aware of the multiplicative property of the textbook RSA and how it can be used to get a signature from a CA without having the CA directly signing it.

My question is - can this apply to the real world in modern implementations of RSA?

More specifically - assume I have this CA that will sign every CSR (Certificate Signature Request) I give it except a specific one, a "forbidden" one.

Theoretically, I would like to have this CA sign 2 (or more) "valid" CSRs and "multiply" their signatures to generate the desired "forbidden" signature (that one CSR the CA refused to sign)

Could this work?

shaqed
  • 123
  • 3
  • Note a CA doesn't ever sign a CSR; it signs (the hash of) a cert that is created partly from the CSR and partly from other sources. And if it follows the guidelines required to be accepted on the web (which not all CAs are) it must include sufficient randomness that you can't predict (much less control) the signed data (and thus hash). – dave_thompson_085 May 11 '19 at 04:11

1 Answers1

5

can this apply to the real world in modern implementations of RSA?

No!

RSA is a trapdoor function and the RSA public encryption/decryption and RSA signatures are derived from them. Contrary to some people, RSA decryption is not a signature.

RSA must never be used without proper padding. It is very dangerous and example attacks can be seen from the paper Twenty Years of Attacks on the RSA Cryptosystem by Dan Boneh.

Apart from the multiplicative property, some of the attacks are;

  • Common Modulus attack where a group shares the same modulus in which any other user can find the others private key.
  • Blinding is signature forging where the forger asks a blinded, suspicious, message to sign and then convert this into a valid signature.
  • Low private exponent ( Wiener's attack) where the private exponent is chosen small to reduce the signature time. The attack can recover the d
  • Hastad's Broadcast Attack where the sender sends the same message to may. The attack recovers the message.
  • Bleichenbacher's Attack on PKCS 1 uses the invalid ciphertext error returned from the target and the attacker turns the target into a decryption oracle.

This question What is RSA OAEP & RSA PSS in simple terms gives a simple explanation for both.

Community
  • 1
kelalaka
  • 48,443
  • 11
  • 116
  • 196
  • 1
    RSASSA-PKCS1v1_5 also prevents multiplication, and even PKCS1v1 'type 0' padding (dropped by v2.0 in 1998) included the DigestInfo which accidentally prevents multiplication although its goal was to prevent scheme-switching. – dave_thompson_085 May 11 '19 at 04:22