Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA Libraries
Paul Bottinelli - NCC GroupPosted 4 Years Ago- Stark Bank is a financial technology company that tries to simplify banking operations, such as transfers and payments. They maintain several cryptographic libraries for several different eco-system. One of these is a Elliptic Curve Digital Signature Algorithm (ECDSA) library.
- Conceptually, I know it is based upon finding points on a curve. The simplified algorithm goes as follows:
- Check that r and s are integers in the [1, n-1] range where
nis the curve order and r,s are the points on the curve. - Compute
u1 = zs^-1 % nandu2 = rs^-1 % n. - Compute the elliptic curve point
(x, y) = u1 G + u2 Qwhere Q is the publc key. - If
r congruent x % n. then the signature is valid.
- Check that r and s are integers in the [1, n-1] range where
- The library was not validating that r and s were within the proper range. As a result, these could be specified as 0,0. In many languages, the multiplicative inverse returns zero if supplied with 0 (even though it is undefined). Why does this matter though?
- All of the math operations above turn into 0. As a result, the signature algorithm can be passed by simply supplying a signature of 0s for r and s. Wow, that's insane and one hell of a find! This affects all of their libraries in Python, Java, DotNet, Elixir and Node.
