Hi, On Thu, 20 Jun 2002, a y wrote:
> >*Maybe* ... but even then it doesn't solve the case of public keys. > >Moreover, how do you actually test a public key? What does "check" > >actually mean in this case? > > > > ......... > > > >Cheers, > >Geoff > > I would suggest the following for checking RSA public keys: > > 1) that the public exponent e satisfies 3 <= e < n and that > e is odd (PKCS#1) [this doesn't prevent low exponent > attacks however] > 2) that the modulus n is not a probable prime > (e.g., apply 80 rounds of Miller-Rabin) > 3) that n is not divisible by small primes > 4) that n is not a perfect power > 5) that n provides a suitable setting for the factoring > problem (e.g., |n| > 512 bits or 768 bits, etc.), and give > a warning if it is not. > > I am working on some code which I hope to donate to > OpenSSL that accomplishes (4) and more... Yay, thanks. BTW: If you have any thoughts about how to test a full keypair using higher-level operations, that would help too. :-) We can pretty much always assume 'n' and 'e' are structurally intact, no matter what kind of ENGINE you happen to have lurking around (for one thing, it would probably break lots of ssl/ code if this were not the case). Beyond that however, you can't really guarantee much in the general case except that the RSA_[public|private]_[de|en]crypt() functions should generally work correctly according to wherever the genuine key elements are (HSM, remote, smart-card, stored in alternative format, etc). Obviously, we could test that (n,e) and (n,d) invert one another for any given 0<x<n, but whether that combined with your public-key tests would suffice ... I'm not sure. Cheers, Geoff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]