Home / Early Warning / Cybersecurity Highlights / Cryptographic flaw in ECDSA implementation in Java

Cryptographic flaw in ECDSA implementation in Java

04/19/2022

The Elliptic Curve Digital Signature Algorithm (ECDSA), used in Java and Oracle to digitally sign messages and data to verify the authenticity and integrity of content, is vulnerable due to a signature verification flaw, which could allow malicious downloads to pass for benign content.

This cryptographic error, called Psychic Signatures, is caused by the lack of validation of the (R,S) values used by ECDSA, since if both values are (0,0), the verification would always be valid regardless of the rest of the values.