[Cryptography Team] Weak value of e in RSAKeyPairGenerator
Ron Teitelbaum
Ron at USMedRec.com
Wed Nov 22 14:54:35 UTC 2006
Hi Tim,
Thank you for your post. At some point in the past we discussed changing
the value for signatures. At that time I believe that we decided to leave
it because of the number of implementations that use it. I would agree from
the number of places I just found that say that e=3 should not be used that
we should consider changing it again. I'll spend some more time on it and
would encourage anyone else with knowledge on this subject to join this
conversation and give us your opinion of the ramifications of changing it.
I will also spend some time looking at the vulnerability to make sure that
we are checking the padding and justification appropriately so that in the
future if other similar vulnerabilities are found we are doing the right
thing.
I found this article
http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html that gives a nice
overview of the problem.
I would agree with you estimate that since we use the full value upToEnd:
that we are probably ok but that depends on how we are parsing the ANS.1
value from it and if we are checking for more data afterwards.
>From the link above: "These broken implementations go ahead and use the
hash, without verifying that there is no more data after it. Failing to add
this extra check makes implementations vulnerable to a signature forgery
..."
Thanks,
Ron Teitelbaum
Squeak Cryptography Team Leader
> -----Original Message-----
> From: cryptography-bounces at lists.squeakfoundation.org
> [mailto:cryptography-bounces at lists.squeakfoundation.org] On Behalf Of
> Cerebus
> Sent: Wednesday, November 22, 2006 8:20 AM
> To: cryptography at lists.squeakfoundation.org
> Subject: [Cryptography Team] Weak value of e in RSAKeyPairGenerator
>
> I've just started playing around with the crypto code (and Squeak in
> general), but I noticed that RSAKeyPairGenerator is using a weak value
> for e (e=3). This is contrary to recommendations after the revelation
> at Crypto 2006 by Daniel Bleichenbacher of an attack against some
> implementations of PKCS#1 v1.5 signatures:
>
> http://csrc.nist.gov/news-highlights/RSA-statement_10-17-06_.pdf
>
> I've looked at RSAKey>>v15VerifySignature:ofMessageHash: and it
> doesn't seem (to me) to be vulnerable to this specific attack (as it
> explicitly uses readStream>>upToEnd:). However, the attack also
> hinges on the finding eth roots, when when e=3 is pretty easy.
>
> Using an e>3 gives added insurance against this finding.
> Interestingly, the DoD PKI has been using e=65537 from the very
> beginning.
>
> I changed e to 65537 and all seems well. I'd post a patch, but at
> this point I have no idea how to extract one.
>
> -- Tim
> _______________________________________________
> Cryptography mailing list
> Cryptography at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
More information about the Cryptography
mailing list