Hello,
I am doing the Security Audit of a .Net Application Developed on
ASP.Net 1.1. The Developer has informed me that he has implemented RSA-SHA1
for the Authentication Module, The credentials of which are shown below.

challenge=AbDwjDe34zzDBEzF5WdnzPuNTUY%3D&hidFlag=T&posx=79e5b
30ea23345a0395c371d39cc4524fbd3b293d510f676112fa54b89714d0877
e5410e3bfe1cd9189b2927c4f7f72687f94e14e48e2a642914a6202e7c
3c6eeecf59e2ddc41a0a0a7b7e42370d142cc7756e38277cac21f2ff182
19e5ad13088134261f7ab9a59bc076d7e27bf418b9fd45630ed33bbb57
bbd18b67108b6ba&txtUID=&txtPWD=

Now I wanted to know , if this type of Security can also be breached by an
attacker. If this is possible, then how?. Please Help

Thanks in Advance

Hi,
the information that you given us doesn't allow to say whether it is
secure or not. RSA and SHA1 are the building blocks that could be used
for building very secure as well as absolutely unsecure protocols.
However, secure protocols are fiercely difficult thing! Judging by the
number of digits - it is 1024 bits RSA, which is quite secure if it
is used properly. SHA-1 has some problems with collision-resistance,
Wang at al. has shown in 2005 that SHA1 collisions are possible much
easier than it should have been for the hash of that size, however it
still requires quite a lot of work to produce an SHA-1 collision (i.e.
no one has managed to find two different values that are hashed with
SHA-1 to the same value yet). If reductionist security matters, then
they should have been using something like RSA PSS or RSA Full Domain
Hash signature, but even with PKCS 1.5 RSA-SHA-1 signature it would
hardly be a weakest part.
My prediction is: if authentication protocol was developed by your
developer(s), then apparently it is unsecure. If it is a standard
protocol that they implemented - it is difficult to assess the
security without further details, such as complete and concise
description of protocol. There are many standard authentication
protocols that have weaknesses, however if this is a solid standard
(such as for example some of ISO authentication protocols), known
weaknesses are usually described together with description of usage
scenario that they may affect...

-Valery.
http://www.harper.no/valery

[quoted text, click to view]