Name Signature Spoofing by Key Recreation
Summary An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Prerequisites An authoritative signer is using a weak method of random number generation or weak signing software that causes key leakage or permits key inference. An authoritative signer is using a signature algorithm with a direct weakness or with poorly chosen parameters that enable the key to be recovered using signatures from that signer.
Solutions Ensure cryptographic elements have been sufficiently tested for weaknesses.
Related Weaknesses
CWE ID Description
CWE-310 Cryptographic Issues
CWE-330 Use of Insufficiently Random Values
Back to Top