|
|
|
|
|
|
by NovemberWhiskey
721 days ago
|
|
|
What's described here is called "signature with (total) message recovery" as opposed to the more common "signature with appendix". This is a legitimate technique used when the message payloads are small and can be worked on directly by the cryptographic signature operation rather than being hashed and the signed-hash being appended. In this case, PKCS #1 v1.5 is used for an RSA signature. The choice of PKCS #1 v1.5 is perfectly adequate for the digital signature scenario and was proven secure in 2018 ref. https://eprint.iacr.org/2018/855.pdf EDIT: eh, PKCS #1 v1.5 is proven secure for a set of assumptions that I don't think apply to this case. I think the security strength of this signature with message recovery approach is limited by the extent to which the maximum message length exceeds the signature size. You can choose random signatures until you get one that verifies to a syntactically-valid PKCS #1 padded string, which "only" requires an initial 88 bit match, based on the required minimum padding length. You won't get a syntactically valid (per the apparent specification for the certificate) result, but it would be broken at the cryptographic level. I mean, realistically, it's probably fine but, yeah. |
|
|