Top News
MTG discovers security vulnerability in CMS and PKCS#7 signatures
On October 22nd, MTG published a paper reporting on a previously unknown fundamental cryptographic vulnerability in the CMS and PKCS#7 protocols.
A security expert from MTG has discovered a fundamental vulnerability in the CMS and PKCS#7 signature protocols. Under certain circumstances, the valid signature on the actually signed data also represents a valid signature for other data that has never been regularly signed. However, the form of this data is very inflexible and the attacker has at most a small amount of influence over it.
Although it is generally very unlikely that a specific real system will become vulnerable due to the inflexible form of the falsely signed data, it cannot be ruled out due to the widespread use of these protocols.
If you do not want to take any risks and want to protect your systems based on CMS or PKCS#7 signatures against this potential vulnerability, you can implement the countermeasures described in our paper.
Picture source: © FLY:D – Unsplash.com