Attacking the Diebold Signature Variant -- RSA Signatures with Unverified High-order Padding
Ryan W. Gardner, Tadayoshi Kohno, and Alec Yasinsac
TL;DR
This paper demonstrates a simple mathematical attack on a flawed RSA signature verification scheme used in voting machines, exploiting unverified high-order padding and a small public exponent to forge signatures efficiently.
Contribution
It reveals a critical vulnerability in a real-world RSA implementation by showing how unverified high-order padding can be exploited with a straightforward attack.
Findings
The attack allows forgery of signatures on arbitrary messages.
The vulnerability is due to improper verification of high-order bits.
The scheme's use of a small public exponent facilitates the attack.
Abstract
We examine a natural but improper implementation of RSA signature verification deployed on the widely used Diebold Touch Screen and Optical Scan voting machines. In the implemented scheme, the verifier fails to examine a large number of the high-order bits of signature padding and the public exponent is three. We present an very mathematically simple attack that enables an adversary to forge signatures on arbitrary messages in a negligible amount of time.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptography and Data Security · Cryptography and Residue Arithmetic