[Cryptography Team] Weak value of e in RSAKeyPairGenerator
Cerebus
cerebus2 at gmail.com
Wed Nov 22 13:20:06 UTC 2006
I've just started playing around with the crypto code (and Squeak in
general), but I noticed that RSAKeyPairGenerator is using a weak value
for e (e=3). This is contrary to recommendations after the revelation
at Crypto 2006 by Daniel Bleichenbacher of an attack against some
implementations of PKCS#1 v1.5 signatures:
http://csrc.nist.gov/news-highlights/RSA-statement_10-17-06_.pdf
I've looked at RSAKey>>v15VerifySignature:ofMessageHash: and it
doesn't seem (to me) to be vulnerable to this specific attack (as it
explicitly uses readStream>>upToEnd:). However, the attack also
hinges on the finding eth roots, when when e=3 is pretty easy.
Using an e>3 gives added insurance against this finding.
Interestingly, the DoD PKI has been using e=65537 from the very
beginning.
I changed e to 65537 and all seems well. I'd post a patch, but at
this point I have no idea how to extract one.
-- Tim
More information about the Cryptography
mailing list