303
edits
Changes
Jump to navigation
Jump to search
m
fix dead link
Line 63:
Line 63:
The process can be simplified further by taking advantage of the mathematical properties of RSA. Given the signature ''m'', and the public key (''e'', ''n''), the decrypted signature is calculated as ''m''<sup>''e''</sup> mod ''n''. A zero signature (''m'' = 0) always results in a zero result, regardless of the values of ''e'' and ''n'' (that is, regardless of the certificate that is used to check the signature). All we have to do is zero out the signature and get a guaranteed result of all zeroes. This reduces the time needed to build a fake signature to an average of 256 short SHA-1 sums, which can be done in mere milliseconds. The actual number of attempts required can vary (and could theoretically be infinite), since SHA-1 behaves like a random number generator. This is why having to try a couple thousand times isn't uncommon, and why changing a single byte when bruteforcing is not sufficient.
The process can be simplified further by taking advantage of the mathematical properties of RSA. Given the signature ''m'', and the public key (''e'', ''n''), the decrypted signature is calculated as ''m''<sup>''e''</sup> mod ''n''. A zero signature (''m'' = 0) always results in a zero result, regardless of the values of ''e'' and ''n'' (that is, regardless of the certificate that is used to check the signature). All we have to do is zero out the signature and get a guaranteed result of all zeroes. This reduces the time needed to build a fake signature to an average of 256 short SHA-1 sums, which can be done in mere milliseconds. The actual number of attempts required can vary (and could theoretically be infinite), since SHA-1 behaves like a random number generator. This is why having to try a couple thousand times isn't uncommon, and why changing a single byte when bruteforcing is not sufficient.
−tmbinc has a more thorough explanation [http://debugmo.de/?p=61 here].
+tmbinc has a more thorough explanation [https://debugmo.de/2008/03/thank-you-datel/ here].
This bug was first fixed in [[IOS37]]. As of the [[System Menu 3.3|3.3 update]] the fix had spread to IOS30 & 31, and by [[23 Oct Updates|Oct 23, 2008]] it was in all but one IOS. This [[IOS16|last IOS]] was fixed with the [[System Menu 4.0|4.0 update]].
This bug was first fixed in [[IOS37]]. As of the [[System Menu 3.3|3.3 update]] the fix had spread to IOS30 & 31, and by [[23 Oct Updates|Oct 23, 2008]] it was in all but one IOS. This [[IOS16|last IOS]] was fixed with the [[System Menu 4.0|4.0 update]].