I came across an application which uses RSA signatures on plain MD5
hashes, without padding (the more significant bits are all zero).
Even worse, the application doesn't check if the padding bits are
actually zero during signature verification.  The downside is that the
encryption exponent is fairly large, compared to the modules (27 vs
1024 bits). A few hundred signed messages have been published so far.

What do you think?  Are attacks against this application feasible?
(It should be corrected, of course, but it's not clear if a
high-priority update is needed.)

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to