[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RSA Key spec question

To: ietf-open-pgp@xxxxxxx, bill.stewart@xxxxxxxxx
Subject: Re: RSA Key spec question
From: jimg@xxxxxxxxxx (Jim Gillogly)
Date: Fri, 10 Apr 1998 11:26:03 -0700
Sender: owner-ietf-open-pgp@xxxxxxx

> At 10:33 AM 4/3/98 -0500, tzeruch - at - ceddec - dot - com wrote:
> >E is 17 in pgp, but often 3 or 65567 elsewhere.  I know why 2**N+1, but is
> >there anything that should be said about this in the spec?
> >
> >(Testing 2.6.2 v.s. SSLeay from long ago proved that any value of E worked
> >in either; But only some could be generated, or would be by default).

Bill Stewart writes:
> The spec says that PKCS1 padding is required for the encrypted
> session key packet, but it doesn't explicitly say that
> in a message with multiple recipients, EVERY encrypted session
> key packet needs to use a different random padding, as opposed to 
> making one copy of m and encrypting it separately with each key.
> This needs to be fixed.
> 
> The issue is preventing the low-exponent attack on RSA,
> which is a particular risk for e=3, but occasionally messages
> will have more than e=17 RSA-using recipients.

Indeed.  My PGP keyring may be odd, but I have several PGP keys
that have exponents other than e=17:  Richard Outerbridge's,
Arnold Reinhold's, David Stoler's, and the IETF Registrar's all
use 65537, and Christopher Drake (0xC0DED00D) has a 69-bit
exponent.  I'm guessing that's not an accidental number. :)

	Jim Gillogly

Prev by Date: Re: RSA Key spec question
Next by Date: Well, I did a pgpv command...
Previous by thread: character set
Next by thread: SecureConnect 1 announcement
Index(es):
- Date
- Thread