[Cryptography] Zoom publishes draft cryptographic design for end-to-end encryption

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Jun 4 20:50:38 EDT 2020


Ralf Senderek <crypto at senderek.ie> writes:

>On Thu, 4 Jun 2020, Florian Weimer wrote:
>>  Beside DH parameters, the other rather astonishing example is the
>>  public RSA exponent.  You cannot even use a random value there anymore
>>  because some implementations do not allow an arbitrary-precision
>>  integer for it:
>
>In which implementation do you think I found this?

However, even that implementation complains about non-32-bit integers as
exponents. That's based on the fact that in 25 years of use there's only been
one implementation that required a bignum exponent and that was created by
people who were cleverer than everyone else and decided sizeof( e ) must equal
sizeof( n ).  In practice virtually everyone sets e = F4, which is fine.

Oh, except OpenSSH which uses e = 33 or 35, because SSH used an e relatively
prime to (p-1)(q-1), choosing odd (in both senses of the word) numbers > 31.
33 or 35 probably ended up being chosen frequently so it was hardcoded into
OpenSSH for cargo-cult reasons, until it was finally fixed in about version 6,
but there are still enough e = 33 / 35 keys around that you need to special-
case handling for them so either they get used forever once generated or
something is still generating them.

Peter.


More information about the cryptography mailing list