I came across an application which uses RSA signatures on plain MD5 hashes, without padding (the more significant bits are all zero). Even worse, the application doesn't check if the padding bits are actually zero during signature verification. The downside is that the encryption exponent is fairly large, compared to the modules (27 vs 1024 bits). A few hundred signed messages have been published so far.
What do you think? Are attacks against this application feasible? (It should be corrected, of course, but it's not clear if a high-priority update is needed.) --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
