See this paper: http://www.schneier.com/paper-ssl.html Section 4.4
"The signed params field contains the server’s sig- nature on a hash of the relevant ServerParams field, but the signature does not cover the KeyExchangeAlgorithm value. Therefore, by mod- ifying the (unprotected) KeyExchangeAlgorithm field, we can abuse the server’s legitimate signa- ture on a set of Diffie-Hellman parameters and fool the client into thinking the server signed a set of ephemeral RSA parameters. We should point out that particularly cautious im- plementation might not be fooled by such tricks, if they check the length of the ServerParams field carefully. For example, SSLRef 3.0b1 is paranoid enough that it would detect such an attack. How- ever, in general, the specification is silent on the matter, and some compliant implementations could easily be vulnerable." -Ekr _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
