signatures – WindowsTechs.com

New SSH Vulnerability

Posted on November 15, 2023 by Bruce Schneier

For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the connection is being established.

[…]

The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection. It affects only keys using the RSA cryptographic algorithm, which the researchers found in roughly a third of the SSH signatures they examined. That translates to roughly 1 billion signatures out of the 3.2 billion signatures examined. Of the roughly 1 billion RSA signatures, about one in a million exposed the private key of the host…

Continue reading New SSH Vulnerability→

Micro-Star International Signing Key Stolen

Posted on May 15, 2023 by Bruce Schneier

Micro-Star International—aka MSI—had its UEFI signing key stolen last month.

This raises the possibility that the leaked key could push out updates that would infect a computer’s most nether regions without triggering a warning. To make matters worse, Matrosov said, MSI doesn’t have an automated patching process the way Dell, HP, and many larger hardware makers do. Consequently, MSI doesn’t provide the same kind of key revocation capabilities.

Delivering a signed payload isn’t as easy as all that. “Gaining the kind of control required to compromise a software build system is generally a non-trivial event that requires a great deal of skill and possibly some luck.” But it just got a whole lot easier…

Continue reading Micro-Star International Signing Key Stolen→

Java Cryptography Implementation Mistake Allows Digital-Signature Forgeries

Posted on April 22, 2022 by Bruce Schneier

Interesting implementation mistake:

The vulnerability, which Oracle patched on Tuesday, affects the company’s implementation of the Elliptic Curve Digital Signature Algorithm in Java versions 15 and above. ECDSA is an algorithm that uses the principles of elliptic curve cryptography to authenticate messages digitally.

[…]

ECDSA signatures rely on a pseudo-random number, typically notated as K, that’s used to derive two additional numbers, R and S. To verify a signature as valid, a party must check the equation involving R and S, the signer’s public key, and a cryptographic hash of the message. When both sides of the equation are equal, the signature is valid. …

Continue reading Java Cryptography Implementation Mistake Allows Digital-Signature Forgeries→

Hacking Digitally Signed PDF Files

Posted on March 8, 2021 by Bruce Schneier

Interesting paper: “Shadow Attacks: Hiding and Replacing Content in Signed PDFs“:

Abstract: Digitally signed PDFs are used in contracts and invoices to guarantee the authenticity and integrity of their content. A user opening a signed PDF expects to see a warning in case of any modification. In 2019, Mladenov et al. revealed various parsing vulnerabilities in PDF viewer implementations.They showed attacks that could modify PDF documents without invalidating the signature. As a consequence, affected vendors of PDF viewers implemented countermeasures preventing all attacks…

Continue reading Hacking Digitally Signed PDF Files→

Digital Signatures in PDFs Are Broken

Posted on March 6, 2019 by Bruce Schneier

Researchers have demonstrated spoofing of digital signatures in PDF files. This would matter more if PDF digital signatures were widely used. Still, the researchers have worked with the various companies that make PDF readers to close the vulnerabilities. You should update your software. Details are here. News article…. Continue reading Digital Signatures in PDFs Are Broken→

Evidence for the Security of PKCS #1 Digital Signatures

Posted on September 25, 2018 by Bruce Schneier

This is interesting research: "On the Security of the PKCS#1 v1.5 Signature Scheme": Abstract: The RSA PKCS#1 v1.5 signature algorithm is the most widely used digital signature scheme in practice. Its two main strengths are its extreme simplicity, which makes it very easy to implement, and that verification of signatures is significantly faster than for DSA or ECDSA. Despite the… Continue reading Evidence for the Security of PKCS #1 Digital Signatures→

Evidence for the Security of PKCS #1 Digital Signatures

Posted on September 25, 2018 by Bruce Schneier

This is interesting research: "On the Security of the PKCS#1 v1.5 Signature Scheme": Abstract: The RSA PKCS#1 v1.5 signature algorithm is the most widely used digital signature scheme in practice. Its two main strengths are its extreme simplici… Continue reading Evidence for the Security of PKCS #1 Digital Signatures→

Signed Malware

Posted on February 2, 2018 by Bruce Schneier

Signed Malware

Posted on February 2, 2018 by Bruce Schneier

Stuxnet famously used legitimate digital certificates to sign its malware. A research paper from last year found that the practice is much more common than previously thought. Now, researchers have presented proof that digitally signed malware is much more common than previously believed. What’s more, it predated Stuxnet, with the first known instance occurring in 2003. The researchers said they… Continue reading Signed Malware→

"Proof Mode" for your Smartphone Camera

Posted on March 1, 2017 by Bruce Schneier

ProofMode is an app for your smartphone that adds data to the photos you take to prove that they are real and unaltered: On the technical front, what the app is doing is automatically generating an OpenPGP key for this installed instance of the app itself, and using that to automatically sign all photos and videos at time of capture…. Continue reading "Proof Mode" for your Smartphone Camera→