It is my understanding that, on a very basic level, using RSA without padding allows computing “valid” signatures for new messages by combining two existing signatures, because a^d * b^d == (a * b) ^ d
The use of sha256 in this case probably makes this task slightly more annoying, but by no means impossible - it raises the bar only to crafting a message m where Hm(m) == H(m1) * H(m2) mod N. With padding the scheme becomes H = (PAD(SHA256(M))) which makes the resulting signature probabilistic rather than deterministic, and combining signatures to create new signatures no longer works. It is also my understanding that the malleability problem with textbook (i.e. unpadded) RSA relates to encryption/decryption rather than signing/verification, not signing/verification, but I could be wrong about that. -- Michael Greene Software Engineer mgre...@securityinnovation.com > On Jul 10, 2015, at 1:15 PM, Filip Paun <paunfi...@gmail.com> wrote: > > Suppose I have a message M for which I generate an RSA-2048 digital signature > as follows: > > H = SHA-256(M) > S = H^d mod N > > Assume N = p*q is properly generated and d is the RSA private key. > > > And I verify the signature as follows: > > S^e mod N == H' > > where H' is the SHA-256 of the message to be authenticated. Assume e is the > RSA public key. > > Since I've not used any padding then are there any flaws with the above > approach? What if e = 3? What if e = 2^16+1? > > Your guidance is much appreciated. > > Thank you, > Filip > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
