| Name |
Signature Spoofing by Key Recreation |
|
| Likelyhood of attack |
Typical severity |
| Low |
High |
|
| Summary |
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker. |
| Prerequisites |
An authoritative signer is using a weak method of random number generation or weak signing software that causes key leakage or permits key inference. An authoritative signer is using a signature algorithm with a direct weakness or with poorly chosen parameters that enable the key to be recovered using signatures from that signer. |
| Solutions | Ensure cryptographic elements have been sufficiently tested for weaknesses. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-330 |
Use of Insufficiently Random Values |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-473 |
An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1552.004 |
Unsecure Credentials: Private Keys |
|