Score:1

How to determine curve's field size in a ECDSA Signature

in flag

There is a bug in some firmware I'm working that states the following:

If individual coordinates are shorter or longer than the curve’s field size they are processed incorrectly.

So I can get the coordinates from the signature, R and S, but I have no idea how to determine the curve's field size.

I am specifically looking at this certificate for AWS IoT

-----BEGIN CERTIFICATE-----
MIIDhzCCAy2gAwIBAgIQF+SpiRTfcZT9xPl3Soz4nTAKBggqhkjOPQQDAjCBgDEL
MAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYD
VQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTEwLwYDVQQDEyhTeW1hbnRlYyBD
bGFzcyAzIEVDQyAyNTYgYml0IFNTTCBDQSAtIEcyMB4XDTIwMDgxNzAwMDAwMFoX
DTIxMDgxODIzNTk1OVowdzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0
b24xEDAOBgNVBAcMB1NlYXR0bGUxGTAXBgNVBAoMEEFtYXpvbi5jb20sIEluYy4x
JjAkBgNVBAMMHSouaW90LnVzLWVhc3QtMS5hbWF6b25hd3MuY29tMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEIovCJVKZaWFewxZ53PJMVfekj8AZRY37L7WsXjO/
Q3X46R/62ps82FR+cRmNh/I5SvcrmAvMGlM+1hl1LiE6q6OCAY8wggGLMEUGA1Ud
EQQ+MDyCG2lvdC51cy1lYXN0LTEuYW1hem9uYXdzLmNvbYIdKi5pb3QudXMtZWFz
dC0xLmFtYXpvbmF3cy5jb20wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4AwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEGA1UdIARaMFgwVgYGZ4EMAQIC
MEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUF
BwICMBkMF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMB8GA1UdIwQYMBaAFCXwiuFL
etkBlQrtxlPxjHgf2fP4MCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9yYy5zeW1j
Yi5jb20vcmMuY3JsMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDov
L3JjLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3JjLnN5bWNiLmNvbS9y
Yy5jcnQwCgYIKoZIzj0EAwIDSAAwRQIgAKO6zCfmxUpg1BVa1s2Y2WiWPSpNlpDa
syCuV6Lm6YkCIQD0I2WI1gP9zqk4lxlOfBb/2S4zOw/1OU9QV8BadDCe7w==
-----END CERTIFICATE-----

Thanks!

Score:1
in flag

Your certificate contains a public key, the P-256 or secp256r1 or prime256v1 you can see here. However, the key is in uncompressed format (starting with a byte 04 and then 64 random looking bytes) and the domain parameters are specified using an OID with the curve mentioned above. So the only coordinates are those of the public key, and those are always the same 1 + 64 bytes; there is no problem there.

So probably you are talking about R and S as you mention in the question. However, R is a random number and S is the corresponding randomized signature, which means that they are not coordinates.

Now the curve is not specified; it is specified in the issuer certificate which is referenced in this one. However, we can safely assume that it is the same curve we are talking about. Of course, if you are building a verifier, then you should retrieve the curve and public key out of the issuer certificate though.

As you can see in the last part of the certificate:

BIT STRING (568 bit) 0011000001000101000000100010000000000000101000111011101011001100001001…
    SEQUENCE (2 elem)
      INTEGER (248 bit) 2892853004106127101112322441046660521562717594643885711748150025403073…
      INTEGER (256 bit) 1104268754670564871921027255657571260094376165878172031675520861809130…

The random value is 248 bits and the signature is 256 bits. These values simply have to be smaller than the field size. This means that the signed, big endian, dynamic length encoding of these integers can differ. If you have bad code then in this case the R component may be smaller than what you would expect; if you'd just assume 256 bit then you would be in trouble.

What you have to do is to make sure your software will interpret these numbers if they are encoded as 1 byte, as 33 bytes (including 00 padding byte at the left) or any size in between. After that you may have to re-encode them as 32 + 32 = 64 bytes for your signature verification to work.

Or you can just use software that verifies the ANS X9.62 signature format of course. Or use a library that simply accepts R and S as separate numbers using some kind of "bignum" library.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.