Nils Larsch via RT wrote: ... >> >> The included minor patch of apps/genrsa.c adds a new option for exponent >> selection to the genrsa command. ... > > principally I'm not against such a change but I wonder how useful this > feature is (or, in other words, how likely is it that a user selects > a good exponent if [s]he doesn't want to use f4 and not something > like 1) ? Another alternative might be to let the user specify a range > from which a randomly generated exponent is used ...
The security of the RSA algorithm does not depend (in general) on the choice of the exponent, certainly excluding exponent 1 and very small exponents for encryption purposes. So there are no 'good' or 'bad' odd exponents. But I agree that the selection of exponent 1 MUST be prevented as well as the selection of even ones. Sorry, I forgot to include that in the patch. Small exponents give the advantage of faster signature verification, but in fact you can't really observe that. A prime exponent e theoretically speeds up the prime factor search, remember that e must be coprime with (p-1) and (q-1), which is more likely if e is prime. But this is in the GHz Century also not very important. If the user wants to choose a randomly generated exponent [s]he may use openssl rand -hex 4 for that, .... oops the option '-hex' is missing yet ;-), but for now openssl rand 4 | od -An -w8 could do the job, so there is no need to have a complex exponent selection procedure. > Btw: your patch removes the description of the '-3' option. The description of the '-3' may not be needed anymore. Useful or not, at least the European Commision Regulation 1360/2002 http://eur-lex.europa.eu/LexUriServ/site/en/oj/2002/l_207/l_20720020805en00010252.pdf on recording equipment in road transport (aka tachograph specification) requires in CSM_014 that RSA public exponents shall have the length 64 bits maximum (and no other restrictions), so OpenSSL with the proposed patch may be used to generate keys with e.g. e=0xFFFFFFFFFFFFFFFF. It is not really necessary to include this proposed change in OpenSSL, but this surprisingly small patch may be helpful if you are going to test the OpenSSL routines. OpenSSL does not reject RSA keys with exponents different from 3 and F4. Regards, Ann. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
