[Cryptography] SSH small RSA public exponent
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Oct 11 20:41:10 EDT 2013
Tim Hudson <tjh at cryptsoft.com> writes:
>Does anyone recollect the history behind and the implications of the (open)
>SSH choice of 35 as a hard-wired public exponent?
/* OpenSSH versions up to 5.4 (released in 2010) hardcoded e = 35, which is
both a suboptimal exponent (it's less efficient that a safer value like 257
or F4) and non-prime. The reason for this was that the original SSH used
an e relatively prime to (p-1)(q-1), choosing odd (in both senses of the
word) numbers > 31. 33 or 35 probably ended up being chosen frequently so
it was hardcoded into OpenSSH for cargo-cult reasons, finally being fixed
after more than a decade to use F4. In order to use pre-5.4 OpenSSH keys
that use this odd value we make a special-case exception for SSH use */
Peter.
More information about the cryptography
mailing list