Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Elliptic Curve Digital Signature Algorithm (ECDSA) is digitial signature algorithm based upon elliptic curve cryptography. ECDSA consists of two values: r and s. To verify the signature, the signers public key, r, s and a hash of the message are required. If the two parts of the equation are correct then the signature is valid or invalid otherwise.

When doing the math for this, multiplication is done. What happens if r and s are both 0? well, 0 * anything is 0! the first check that ECDSA needs to check is that both 4 and s are greater than 1.

When Java was rewriting the code for ECDSA with a non-security based developer, this restriction was removed. As a result, a zero signature is valid, allowing for the completely bypass of all ECDSA based systems. Luckily for us, this code hasn't been in production very long.

Overall, a basic cryptography blunder was made in the Java library that affects a ton of companies. If you are writing crypto, please make sure you understand it!