[Cryptography Team] Weak value of e in RSAKeyPairGenerator
Matthew S. Hamrick
mhamrick at cryptonomicon.net
Wed Nov 22 20:27:10 UTC 2006
Ditto.
We've known for some time that F3 (3) is worse than F4 (65537). In
the olden days we had problems with low exponent attacks. A google
search for Dan Boneh's "20 Years of Attacks on the RSA Cryptosystem"
can give some historical perspective.
On Nov 22, 2006, at 5:20 AM, Cerebus wrote:
> I've just started playing around with the crypto code (and Squeak in
> general), but I noticed that RSAKeyPairGenerator is using a weak value
> for e (e=3). This is contrary to recommendations after the revelation
> at Crypto 2006 by Daniel Bleichenbacher of an attack against some
> implementations of PKCS#1 v1.5 signatures:
>
> http://csrc.nist.gov/news-highlights/RSA-statement_10-17-06_.pdf
>
> I've looked at RSAKey>>v15VerifySignature:ofMessageHash: and it
> doesn't seem (to me) to be vulnerable to this specific attack (as it
> explicitly uses readStream>>upToEnd:). However, the attack also
> hinges on the finding eth roots, when when e=3 is pretty easy.
>
> Using an e>3 gives added insurance against this finding.
> Interestingly, the DoD PKI has been using e=65537 from the very
> beginning.
>
> I changed e to 65537 and all seems well. I'd post a patch, but at
> this point I have no idea how to extract one.
>
> -- Tim
> _______________________________________________
> Cryptography mailing list
> Cryptography at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> cryptography
More information about the Cryptography
mailing list