Exponent 3 damage spreads...
Simon Josefsson
jas at extundo.com
Thu Sep 21 12:28:17 EDT 2006
pgut001 at cs.auckland.ac.nz (Peter Gutmann) writes:
>>Consequently, I think the focus on e=3 is misguided.
>
> It's not at all misguided. This whole debate about trying to hang on to e=3
> seems like the argument about epicycles, you modify the theory to handle
> anomalies, then you modify it again to handle further anomalies, then you
> modify it again, and again, ... Alternatively, you say that the earth
> revolves around the sun, and all of the kludges upon kludges go away.
> Similarly, the thousands of words of nitpicking standards, bashing ASN.1, and
> so on ad nauseum, can be eliminated entirely by following one simple rule:
>
> Don't use e=3
>
> This is never going to be reliably fixed if the "fix" is to assume that every
> implementor and implementation everywhere can get every miniscule detail right
> every time. The fix is to stop using e=3 and be done with it.
Not using e=3 when generating a key seems like an easy sell.
A harder sell might be whether widely deployed implementations such as
TLS should start to reject signatures done with an e=3 RSA key.
What do people think, is there sufficient grounds for actually
_rejecting_ e=3 signatures?
One alternative would be to produce a warning, similar to what is
sometimes done for MD2 and MD5 today.
Btw, by default, OpenSSH's ssh-keygen appear to use e=35 (0x23..),
GnuPG (libgcrypt), GnuTLS and OpenSSL appear to all use e=65537, BIND
dnssec-keygen appear to use e=3.
/Simon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list