Weak value of e in RSAKeyPairGenerator

I've just started playing around with the crypto code (and Squeak in
general), but I noticed that RSAKeyPairGenerator is using a weak value
for e (e=3).  This is contrary to recommendations after the revelation
at Crypto 2006 by Daniel Bleichenbacher of an attack against some
implementations of PKCS#1 v1.5 signatures:

http://csrc.nist.gov/news-highlights/RSA-statement_10-17-06_.pdf

I've looked at RSAKey>>v15VerifySignature:ofMessageHash: and it
doesn't seem (to me) to be vulnerable to this specific attack (as it
explicitly uses readStream>>upToEnd:).  However, the attack also
hinges on the finding eth roots, when when e=3 is pretty easy.

Using an e>3 gives added insurance against this finding.
Interestingly, the DoD PKI has been using e=65537 from the very
beginning.

I changed e to 65537 and all seems well.  I'd post a patch, but at
this point I have no idea how to extract one.

-- Tim
_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography

Hi Tim,

Thank you for your post.  At some point in the past we discussed changing
the value for signatures.  At that time I believe that we decided to leave
it because of the number of implementations that use it.  I would agree from
the number of places I just found that say that e=3 should not be used that
we should consider changing it again.  I'll spend some more time on it and
would encourage anyone else with knowledge on this subject to join this
conversation and give us your opinion of the ramifications of changing it.  

I will also spend some time looking at the vulnerability to make sure that
we are checking the padding and justification appropriately so that in the
future if other similar vulnerabilities are found we are doing the right
thing.

I found this article
http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html that gives a nice
overview of the problem.

I would agree with you estimate that since we use the full value upToEnd:
that we are probably ok but that depends on how we are parsing the ANS.1
value from it and if we are checking for more data afterwards.

>From the link above: "These broken implementations go ahead and use the
hash, without verifying that there is no more data after it. Failing to add
this extra check makes implementations vulnerable to a signature forgery
..."

Thanks,

Ron Teitelbaum
Squeak Cryptography Team Leader

 

_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography

Ditto.

We've known for some time that F3 (3) is worse than F4 (65537). In  
the olden days we had problems with low exponent attacks. A google  
search for Dan Boneh's "20 Years of Attacks on the RSA Cryptosystem"  
can give some historical perspective.

On Nov 22, 2006, at 5:20 AM, Cerebus wrote:

_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography