Weak value of e in RSAKeyPairGenerator

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Weak value of e in RSAKeyPairGenerator

cerebus-4
I've just started playing around with the crypto code (and Squeak in
general), but I noticed that RSAKeyPairGenerator is using a weak value
for e (e=3).  This is contrary to recommendations after the revelation
at Crypto 2006 by Daniel Bleichenbacher of an attack against some
implementations of PKCS#1 v1.5 signatures:

http://csrc.nist.gov/news-highlights/RSA-statement_10-17-06_.pdf

I've looked at RSAKey>>v15VerifySignature:ofMessageHash: and it
doesn't seem (to me) to be vulnerable to this specific attack (as it
explicitly uses readStream>>upToEnd:).  However, the attack also
hinges on the finding eth roots, when when e=3 is pretty easy.

Using an e>3 gives added insurance against this finding.
Interestingly, the DoD PKI has been using e=65537 from the very
beginning.

I changed e to 65537 and all seems well.  I'd post a patch, but at
this point I have no idea how to extract one.

-- Tim
_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

RE: Weak value of e in RSAKeyPairGenerator

Ron Teitelbaum
Hi Tim,

Thank you for your post.  At some point in the past we discussed changing
the value for signatures.  At that time I believe that we decided to leave
it because of the number of implementations that use it.  I would agree from
the number of places I just found that say that e=3 should not be used that
we should consider changing it again.  I'll spend some more time on it and
would encourage anyone else with knowledge on this subject to join this
conversation and give us your opinion of the ramifications of changing it.  

I will also spend some time looking at the vulnerability to make sure that
we are checking the padding and justification appropriately so that in the
future if other similar vulnerabilities are found we are doing the right
thing.

I found this article
http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html that gives a nice
overview of the problem.

I would agree with you estimate that since we use the full value upToEnd:
that we are probably ok but that depends on how we are parsing the ANS.1
value from it and if we are checking for more data afterwards.

>From the link above: "These broken implementations go ahead and use the
hash, without verifying that there is no more data after it. Failing to add
this extra check makes implementations vulnerable to a signature forgery
..."

Thanks,

Ron Teitelbaum
Squeak Cryptography Team Leader

 

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of
> Cerebus
> Sent: Wednesday, November 22, 2006 8:20 AM
> To: [hidden email]
> Subject: [Cryptography Team] Weak value of e in RSAKeyPairGenerator
>
> I've just started playing around with the crypto code (and Squeak in
> general), but I noticed that RSAKeyPairGenerator is using a weak value
> for e (e=3).  This is contrary to recommendations after the revelation
> at Crypto 2006 by Daniel Bleichenbacher of an attack against some
> implementations of PKCS#1 v1.5 signatures:
>
> http://csrc.nist.gov/news-highlights/RSA-statement_10-17-06_.pdf
>
> I've looked at RSAKey>>v15VerifySignature:ofMessageHash: and it
> doesn't seem (to me) to be vulnerable to this specific attack (as it
> explicitly uses readStream>>upToEnd:).  However, the attack also
> hinges on the finding eth roots, when when e=3 is pretty easy.
>
> Using an e>3 gives added insurance against this finding.
> Interestingly, the DoD PKI has been using e=65537 from the very
> beginning.
>
> I changed e to 65537 and all seems well.  I'd post a patch, but at
> this point I have no idea how to extract one.
>
> -- Tim
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography

_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
msh
Reply | Threaded
Open this post in threaded view
|

Re: Weak value of e in RSAKeyPairGenerator

msh
In reply to this post by cerebus-4
Ditto.

We've known for some time that F3 (3) is worse than F4 (65537). In  
the olden days we had problems with low exponent attacks. A google  
search for Dan Boneh's "20 Years of Attacks on the RSA Cryptosystem"  
can give some historical perspective.

On Nov 22, 2006, at 5:20 AM, Cerebus wrote:

> I've just started playing around with the crypto code (and Squeak in
> general), but I noticed that RSAKeyPairGenerator is using a weak value
> for e (e=3).  This is contrary to recommendations after the revelation
> at Crypto 2006 by Daniel Bleichenbacher of an attack against some
> implementations of PKCS#1 v1.5 signatures:
>
> http://csrc.nist.gov/news-highlights/RSA-statement_10-17-06_.pdf
>
> I've looked at RSAKey>>v15VerifySignature:ofMessageHash: and it
> doesn't seem (to me) to be vulnerable to this specific attack (as it
> explicitly uses readStream>>upToEnd:).  However, the attack also
> hinges on the finding eth roots, when when e=3 is pretty easy.
>
> Using an e>3 gives added insurance against this finding.
> Interestingly, the DoD PKI has been using e=65537 from the very
> beginning.
>
> I changed e to 65537 and all seems well.  I'd post a patch, but at
> this point I have no idea how to extract one.
>
> -- Tim
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/ 
> cryptography

_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography