CAPEC-475

Detailed Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: Low Severity: High
Signature Spoofing by Improper Validation

Description

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.

Prerequisites

Recipient is using a weak cryptographic signature verification algorithm or a weak implementation of a cryptographic signature verification algorithm, or the configuration of the recipient's application accepts the use of keys generated using cryptographically weak signature verification algorithms.

Mitigations

Use programs and products that contain cryptographic elements that have been thoroughly tested for flaws in the signature verification routines.

Skills Required

[High] Cryptanalysis of signature verification algorithm

[High] Reverse engineering and cryptanalysis of signature verification algorithm implementation