Re: gnupg rsa question // why use e of 41 ?

daw@xxxxxxxxxxxxxxxxxxxxxxxx (David Wagner) writes:

Sebastian Gottschalk wrote:
David Wagner wrote:
Have you seen any implementation mistakes in the wild that render the
library insecure with e=3 but secure with e=65537?

As you already said: improper padding.

That's not an implementation mistake. That's a matter of using the wrong
algorithm entirely! If the spec says "use RSA-OAEP" but the programmer
actually implements some other algorithm (say, ROT13, because he thinks
ROT13 is nifty), that's not an implementation mistake.

Nuts. RSA without proper padding is still RSA. The manipulations are
identical. It is an implimentation mistake. And the ways to pad are legion.


Recall that I said "you don't need to use e=65537 if you use proper
padding"; if you respond by saying "well, but if you forget to use
proper padding, you might have wished you'd used e=65537", then you are
fundamentally agreeing with me, not disagreeing.

And, no, I didn't say that improper padding is an example of a mistake
that makes e=3 insecure but e=65537 secure. With improper padding,
even e=65537 is insecure. An improperly padded e=65537 RSA library

Well, no. The probability of happening to have a clear text of length
1024/65537 is miniscule. So miniscule it is zero.

may well be "less insecure" than an improperly padded e=3 RSA library,
in the sense that it takes more work to exploit it (e.g., more chosen
messages), but neither is acceptable, and both are still insecure.

Exactly which messages would you use to attack a non-padded implimentation
with an e of 65537?

.

Relevant Pages

  • Re: gnupg rsa question // why use e of 41 ?
    ... that's not an implementation mistake. ... And, no, I didn't say that improper padding is an example of a mistake ... that makes e=3 insecure but e=65537 secure. ...
    (sci.crypt)
  • Re: SSL connection failing with Smart Card Minidriver(BaseCSP) on Vista
    ... It's been a few years since I've spent much time on this stuff but as I recall, the CALG_SSL3_SHAMD5 algorithm is only used when performing client certificate authentication using the SSL3 protocol. ... There is some issue while creating a SSL connection via "Microsoft ... As the dwVersion is 1 there is no padding information. ... IN DWORD dwVersion; ...
    (microsoft.public.platformsdk.security)
  • Re: problem with DES (Data Encryption Standard)
    ... padding binary data so it doesn't matter if the padding character ... the last data block is 10 bytes long but the algorithm requires 16 ... packet or if it is actually part of a single large packet. ... I also wanted my padding character to be random;-) ...
    (comp.lang.tcl)