Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
Jonathan Katz wrote: On Mon, 26 Mar 2012, Thierry Moreau wrote: Florian Weimer wrote: * Thierry Moreau: The unusual public RSA exponent may well be an indication that the signature key pair was generated by a software implementation not encompassing the commonly-agreed (among number-theoreticians having surveyed the field) desirable strategies. I don't think this conclusion is warranted. Most textbooks covering RSA do not address key generation in much detail. Even the Menezes et al. (1996) is a bit sketchy, but it mentions e=3 and e=2**16+1 as "used in practice". Knuth (1981) fixes e=3. On the other side, two popular cryptography textbooks, Schneier (1996) and Stinson (2002), recommend to choose e randomly. None of these sources gives precise guidance on how to generate the key material, although Menezes et al. gives several examples of what you should not do. The original RSA publication suggests generating the RSA modulus N, and then the encryption and decryption exponents, resp. e and d, so that the first selection of the public exponent e might be rejected. The current recommendations fixes the decryption exponent, and then tries random N until e mod phi(N) and d mod phi(N) are both >1. The current "desirable strategies" encompass more provisions, of course. That can't be correct, for several reasons: - If you deterministically fix the decryption exponent in advance, then everyone knows it. (Maybe you meant "choose d at random, and then find N compatible with that choice of d." Still, I don't see why you would do that, and if you did then there is no particular reason e would not come out to be non-prime.) - Maybe you meant to fix e in advance, and then find N compatible with that value of e. But the check for compatibility is that gcd(e, phi(N))=1, not that e mod \phi(N) > 1. My apologies to everyone. Indeed I had the basic RSA math wrong, but you made the appropriate corrections. Thanks. (I indeed meant to fix e in advance.) Going back to the original question, I see no reason why non-prime e should be much less secure than prime e. In particular: - The information leaked to the attacker is that gcd(e, \phi(N)) = 1. So the attacker arguably learns a bit more information about the factors of N if e is non-prime than if e is prime. But I don't see how this information can be used to help speed up current factoring algorithms. - Fix e = e1 * e2, where e1 ande2b are prime. Conditioned on the fact that gcd(e, phi(N))=1, it is as secure to use public exponent e1 (or e2) as to use public exponent e. In particular, if an attacker could invert RSA with public exponent e, then it could also invert using public exponent e1; the (easy) reduction is left to the reader. =) Yes. For the record, in the Katz-Lindell book we say that choice of e is arbitrary as far as security goes, but e=3 is prefered in practice for efficiency. The number theoretic publications supporting erecommended by the original RSA article -- and e=2 -- the Rabin-Williams cryptosystem -- are plenty and fascinating, but hard to summarize with my above-demonstrated inability to write maths! - Thierry Moreau ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
On Mon, 26 Mar 2012, Thierry Moreau wrote: Florian Weimer wrote: * Thierry Moreau: The unusual public RSA exponent may well be an indication that the signature key pair was generated by a software implementation not encompassing the commonly-agreed (among number-theoreticians having surveyed the field) desirable strategies. I don't think this conclusion is warranted. Most textbooks covering RSA do not address key generation in much detail. Even the Menezes et al. (1996) is a bit sketchy, but it mentions e=3 and e=2**16+1 as "used in practice". Knuth (1981) fixes e=3. On the other side, two popular cryptography textbooks, Schneier (1996) and Stinson (2002), recommend to choose e randomly. None of these sources gives precise guidance on how to generate the key material, although Menezes et al. gives several examples of what you should not do. The original RSA publication suggests generating the RSA modulus N, and then the encryption and decryption exponents, resp. e and d, so that the first selection of the public exponent e might be rejected. The current recommendations fixes the decryption exponent, and then tries random N until e mod phi(N) and d mod phi(N) are both >1. The current "desirable strategies" encompass more provisions, of course. That can't be correct, for several reasons: - If you deterministically fix the decryption exponent in advance, then everyone knows it. (Maybe you meant "choose d at random, and then find N compatible with that choice of d." Still, I don't see why you would do that, and if you did then there is no particular reason e would not come out to be non-prime.) - Maybe you meant to fix e in advance, and then find N compatible with that value of e. But the check for compatibility is that gcd(e, phi(N))=1, not that e mod \phi(N) > 1. Going back to the original question, I see no reason why non-prime e should be much less secure than prime e. In particular: - The information leaked to the attacker is that gcd(e, \phi(N)) = 1. So the attacker arguably learns a bit more information about the factors of N if e is non-prime than if e is prime. But I don't see how this information can be used to help speed up current factoring algorithms. - Fix e = e1 * e2, where e1 ande2b are prime. Conditioned on the fact that gcd(e, phi(N))=1, it is as secure to use public exponent e1 (or e2) as to use public exponent e. In particular, if an attacker could invert RSA with public exponent e, then it could also invert using public exponent e1; the (easy) reduction is left to the reader. =) For the record, in the Katz-Lindell book we say that choice of e is arbitrary as far as security goes, but e=3 is prefered in practice for efficiency. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
Florian Weimer wrote: * Thierry Moreau: The unusual public RSA exponent may well be an indication that the signature key pair was generated by a software implementation not encompassing the commonly-agreed (among number-theoreticians having surveyed the field) desirable strategies. I don't think this conclusion is warranted. Most textbooks covering RSA do not address key generation in much detail. Even the Menezes et al. (1996) is a bit sketchy, but it mentions e=3 and e=2**16+1 as "used in practice". Knuth (1981) fixes e=3. On the other side, two popular cryptography textbooks, Schneier (1996) and Stinson (2002), recommend to choose e randomly. None of these sources gives precise guidance on how to generate the key material, although Menezes et al. gives several examples of what you should not do. The original RSA publication suggests generating the RSA modulus N, and then the encryption and decryption exponents, resp. e and d, so that the first selection of the public exponent e might be rejected. The current recommendations fixes the decryption exponent, and then tries random N until e mod phi(N) and d mod phi(N) are both >1. The current "desirable strategies" encompass more provisions, of course. What I meant is that the occurrence of an encryption exponent not "used in practice" may be an indication that the key generation procedure was more like the one suggested in the original RSA publication. - Thierry Moreau ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
On Mar 25, 2012, at 1:16 PM, Florian Weimer wrote: > * Thierry Moreau: > >> The unusual public RSA exponent may well be an indication that the >> signature key pair was generated by a software implementation not >> encompassing the commonly-agreed (among number-theoreticians having >> surveyed the field) desirable strategies. > > I don't think this conclusion is warranted. Most textbooks covering > RSA do not address key generation in much detail. Even the Menezes et > al. (1996) is a bit sketchy, but it mentions e=3 and e=2**16+1 as > "used in practice". Knuth (1981) fixes e=3. On the other side, two > popular cryptography textbooks, Schneier (1996) and Stinson (2002), > recommend to choose e randomly. None of these sources gives precise > guidance on how to generate the key material, although Menezes et al. > gives several examples of what you should not do. 2^16+1 (or numbers of that pattern) give good performance for encryption or for signature verification. NIST's standards require that public keys be odd, positive [sic] integers between 65537 and 2^256-1 (http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf). --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
* Thierry Moreau: > The unusual public RSA exponent may well be an indication that the > signature key pair was generated by a software implementation not > encompassing the commonly-agreed (among number-theoreticians having > surveyed the field) desirable strategies. I don't think this conclusion is warranted. Most textbooks covering RSA do not address key generation in much detail. Even the Menezes et al. (1996) is a bit sketchy, but it mentions e=3 and e=2**16+1 as "used in practice". Knuth (1981) fixes e=3. On the other side, two popular cryptography textbooks, Schneier (1996) and Stinson (2002), recommend to choose e randomly. None of these sources gives precise guidance on how to generate the key material, although Menezes et al. gives several examples of what you should not do. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
On Fri, Mar 23, 2012 at 3:00 AM, Florian Weingarten wrote: > On 03/22/2012 11:29 PM, Jeffrey Walton wrote: >> Is there any benefit to using an exponent that factors? I always >> thought low hamming weights and primality were the desired attributes >> for public exponents. And I'm not sure about primality. > > Not that I know of. At least Textbook RSA doesn't require primality, > just coprimality to (p-1)(q-1). Thanks Florian. I was aware of coprimality. I guess that begs the next question: why are theses certificates* limiting the exponent to 2 octets (ie, uint16)? Why not 4, 8 or arbitrary? Jeff * I ran into another certificate yesterday on android-security-discuss. Weird. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
Please let me try to summarize. I guess it is OK to infer from Adam explanations and Peter observation about homegrown CA software implementations used by some CAs that ... The unusual public RSA exponent may well be an indication that the signature key pair was generated by a software implementation not encompassing the commonly-agreed (among number-theoreticians having surveyed the field) desirable strategies. At a modulus size of 2048 bits, I wouldn't lose sleep on this hypothesis. - Thierry Adam Back wrote: As to why conventionally e is a small low hamming weight prime, even though it doesnt have to be, I suspect it arose because some RSA code used to generate not strong primes, but random primes. If you generate a random prime, then the factors of P=(p-1)/2, Q=(q-1)/2 will be random. But quite likely to contain 3, somewhat likely to contain 5 etc with decreasing probability for larger potential prime factors. (And crucially for strength, it is unlikely a random prime will be B-smooth for dangerously small B.) Anyway so consider you choose a random pair of primes p & q, and a random or fixed non-prime small low hamming weight e.. say 2^15-1, it has factors 3x3x11x331, so then you very often will have to abort and try again a new e or a new p and/or q because P or Q will factorize by some of these small factors, and then d will not be computable. Consequently it'll be simpler and faster to pick a prime e, for a given size e a prime has the lowest probability of having a co-factor with carmichael(n). If you have strong primes which I think is more common at this point, e could be any random odd (non-even) number, presumably with low hamming weight. Low hamming weight is a performance trick for modexp which involves more multiply operations for higher hamming weight. Adam On Fri, Mar 23, 2012 at 03:05:48PM +0100, Adam Back wrote: I presume its implied (too much tongue in cheek stuff for my literal brain to interpret) but a self-signed CA cert is a serious thing - thats a sub-CA cert typically. How that came to be signed with a bizarre though legal e parameter is scary - what library or who wrote the code etc. Usual reason to use primes of form 2^n+1 and co-prime to carmichael(n) is low hamming weight. Other than that typically p, q are strong primes P=(p-1)/2, Q=(q-1)/2 also prime, so any odd (non-even) e is pretty much guaranteed to work as carm(n) = 2*P*Q where P = (p-1)/2, Q = (q-1)/2. Or if using Lim-Lee primes, at least B-smooth, meaning P=P1*P2*...Pn where |Pi|>B for all Pi. And e would typically be smaller than B-bits anyway for performance. (If e is not-coprime to carm(n) then d doesnt exist, as modinv(a,x) requires gcd(a,x)==1, so its not like it will be insecure, it just wont work!) e should also not be too small or other attacks kick in. Dan Boneh has a good summary of RSA limitations: http://www.ams.org/notices/199902/boneh.pdf Adam ps carm(n) = phi(n)/2 = (p-1)*(q-1)/2. On Fri, Mar 23, 2012 at 06:51:51AM -0700, Jon Callas wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mar 23, 2012, at 6:39 AM, Peter Gutmann wrote: Jon Callas writes: On Mar 23, 2012, at 6:03 AM, Peter Gutmann wrote: Jeffrey Walton writes: Is there any benefit to using an exponent that factors? I always thought low hamming weights and primality were the desired attributes for public exponents. And I'm not sure about primality. Seeing a CA put a key like this in a cert is a bit like walking down the street and noticing someone coming towards you wearing their underpants on their head, there's nothing inherently bad about this but you do tend to want to cross the street to make sure that you avoid them. But Peter, CAs don't *precisely* put keys into certs. CAs certify a key that the key creator wants to have in their cert. This is a self-signed cert from the CA, so the key creator was the CA. So it's like issuing yourself an Artistic License card with a color printer and laminator. :-) Good for lots of laughs. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFPbIAAsTedWZOD3gYRAo4KAKDuG0OgEg81mxGUJDGlYp5OzLMI/gCgkRRq /G3T3NLS/8k1L4njuxMJMd0= =tHSy -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
As to why conventionally e is a small low hamming weight prime, even though it doesnt have to be, I suspect it arose because some RSA code used to generate not strong primes, but random primes. If you generate a random prime, then the factors of P=(p-1)/2, Q=(q-1)/2 will be random. But quite likely to contain 3, somewhat likely to contain 5 etc with decreasing probability for larger potential prime factors. (And crucially for strength, it is unlikely a random prime will be B-smooth for dangerously small B.) Anyway so consider you choose a random pair of primes p & q, and a random or fixed non-prime small low hamming weight e.. say 2^15-1, it has factors 3x3x11x331, so then you very often will have to abort and try again a new e or a new p and/or q because P or Q will factorize by some of these small factors, and then d will not be computable. Consequently it'll be simpler and faster to pick a prime e, for a given size e a prime has the lowest probability of having a co-factor with carmichael(n). If you have strong primes which I think is more common at this point, e could be any random odd (non-even) number, presumably with low hamming weight. Low hamming weight is a performance trick for modexp which involves more multiply operations for higher hamming weight. Adam On Fri, Mar 23, 2012 at 03:05:48PM +0100, Adam Back wrote: I presume its implied (too much tongue in cheek stuff for my literal brain to interpret) but a self-signed CA cert is a serious thing - thats a sub-CA cert typically. How that came to be signed with a bizarre though legal e parameter is scary - what library or who wrote the code etc. Usual reason to use primes of form 2^n+1 and co-prime to carmichael(n) is low hamming weight. Other than that typically p, q are strong primes P=(p-1)/2, Q=(q-1)/2 also prime, so any odd (non-even) e is pretty much guaranteed to work as carm(n) = 2*P*Q where P = (p-1)/2, Q = (q-1)/2. Or if using Lim-Lee primes, at least B-smooth, meaning P=P1*P2*...Pn where |Pi|>B for all Pi. And e would typically be smaller than B-bits anyway for performance. (If e is not-coprime to carm(n) then d doesnt exist, as modinv(a,x) requires gcd(a,x)==1, so its not like it will be insecure, it just wont work!) e should also not be too small or other attacks kick in. Dan Boneh has a good summary of RSA limitations: http://www.ams.org/notices/199902/boneh.pdf Adam ps carm(n) = phi(n)/2 = (p-1)*(q-1)/2. On Fri, Mar 23, 2012 at 06:51:51AM -0700, Jon Callas wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mar 23, 2012, at 6:39 AM, Peter Gutmann wrote: Jon Callas writes: On Mar 23, 2012, at 6:03 AM, Peter Gutmann wrote: Jeffrey Walton writes: Is there any benefit to using an exponent that factors? I always thought low hamming weights and primality were the desired attributes for public exponents. And I'm not sure about primality. Seeing a CA put a key like this in a cert is a bit like walking down the street and noticing someone coming towards you wearing their underpants on their head, there's nothing inherently bad about this but you do tend to want to cross the street to make sure that you avoid them. But Peter, CAs don't *precisely* put keys into certs. CAs certify a key that the key creator wants to have in their cert. This is a self-signed cert from the CA, so the key creator was the CA. So it's like issuing yourself an Artistic License card with a color printer and laminator. :-) Good for lots of laughs. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFPbIAAsTedWZOD3gYRAo4KAKDuG0OgEg81mxGUJDGlYp5OzLMI/gCgkRRq /G3T3NLS/8k1L4njuxMJMd0= =tHSy -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
Adam Back writes: >I presume its implied (too much tongue in cheek stuff for my literal brain to >interpret) but a self-signed CA cert is a serious thing Replying partially to this and partially to an off-list message about "how do we know it's genuine", look in your browser's trusted CA list, under 'NetLock Halozatbiztonsagi Kft.'. >what library or who wrote the code etc. A number of European CAs created their own PKI implementations from scratch, with many interesting... features. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
I presume its implied (too much tongue in cheek stuff for my literal brain to interpret) but a self-signed CA cert is a serious thing - thats a sub-CA cert typically. How that came to be signed with a bizarre though legal e parameter is scary - what library or who wrote the code etc. Usual reason to use primes of form 2^n+1 and co-prime to carmichael(n) is low hamming weight. Other than that typically p, q are strong primes P=(p-1)/2, Q=(q-1)/2 also prime, so any odd (non-even) e is pretty much guaranteed to work as carm(n) = 2*P*Q where P = (p-1)/2, Q = (q-1)/2. Or if using Lim-Lee primes, at least B-smooth, meaning P=P1*P2*...Pn where |Pi|>B for all Pi. And e would typically be smaller than B-bits anyway for performance. (If e is not-coprime to carm(n) then d doesnt exist, as modinv(a,x) requires gcd(a,x)==1, so its not like it will be insecure, it just wont work!) e should also not be too small or other attacks kick in. Dan Boneh has a good summary of RSA limitations: http://www.ams.org/notices/199902/boneh.pdf Adam ps carm(n) = phi(n)/2 = (p-1)*(q-1)/2. On Fri, Mar 23, 2012 at 06:51:51AM -0700, Jon Callas wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mar 23, 2012, at 6:39 AM, Peter Gutmann wrote: Jon Callas writes: On Mar 23, 2012, at 6:03 AM, Peter Gutmann wrote: Jeffrey Walton writes: Is there any benefit to using an exponent that factors? I always thought low hamming weights and primality were the desired attributes for public exponents. And I'm not sure about primality. Seeing a CA put a key like this in a cert is a bit like walking down the street and noticing someone coming towards you wearing their underpants on their head, there's nothing inherently bad about this but you do tend to want to cross the street to make sure that you avoid them. But Peter, CAs don't *precisely* put keys into certs. CAs certify a key that the key creator wants to have in their cert. This is a self-signed cert from the CA, so the key creator was the CA. So it's like issuing yourself an Artistic License card with a color printer and laminator. :-) Good for lots of laughs. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFPbIAAsTedWZOD3gYRAo4KAKDuG0OgEg81mxGUJDGlYp5OzLMI/gCgkRRq /G3T3NLS/8k1L4njuxMJMd0= =tHSy -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mar 23, 2012, at 6:39 AM, Peter Gutmann wrote: > Jon Callas writes: >> On Mar 23, 2012, at 6:03 AM, Peter Gutmann wrote: >>> Jeffrey Walton writes: Is there any benefit to using an exponent that factors? I always thought low hamming weights and primality were the desired attributes for public exponents. And I'm not sure about primality. >>> >>> Seeing a CA put a key like this in a cert is a bit like walking down the >>> street and noticing someone coming towards you wearing their underpants on >>> their head, there's nothing inherently bad about this but you do tend to >>> want >>> to cross the street to make sure that you avoid them. >> >> But Peter, CAs don't *precisely* put keys into certs. CAs certify a key that >> the key creator wants to have in their cert. > > This is a self-signed cert from the CA, so the key creator was the CA. So it's like issuing yourself an Artistic License card with a color printer and laminator. :-) Good for lots of laughs. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFPbIAAsTedWZOD3gYRAo4KAKDuG0OgEg81mxGUJDGlYp5OzLMI/gCgkRRq /G3T3NLS/8k1L4njuxMJMd0= =tHSy -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
Jon Callas writes: >On Mar 23, 2012, at 6:03 AM, Peter Gutmann wrote: >> Jeffrey Walton writes: >>> Is there any benefit to using an exponent that factors? I always thought low >>> hamming weights and primality were the desired attributes for public >>> exponents. And I'm not sure about primality. >> >> Seeing a CA put a key like this in a cert is a bit like walking down the >> street and noticing someone coming towards you wearing their underpants on >> their head, there's nothing inherently bad about this but you do tend to want >> to cross the street to make sure that you avoid them. > >But Peter, CAs don't *precisely* put keys into certs. CAs certify a key that >the key creator wants to have in their cert. This is a self-signed cert from the CA, so the key creator was the CA. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mar 23, 2012, at 6:03 AM, Peter Gutmann wrote: > Jeffrey Walton writes: > >> Is there any benefit to using an exponent that factors? I always thought low >> hamming weights and primality were the desired attributes for public >> exponents. And I'm not sure about primality. > > Seeing a CA put a key like this in a cert is a bit like walking down the > street and noticing someone coming towards you wearing their underpants on > their head, there's nothing inherently bad about this but you do tend to want > to cross the street to make sure that you avoid them. But Peter, CAs don't *precisely* put keys into certs. CAs certify a key that the key creator wants to have in their cert. It's far more like someone coming into the DMV with a colander on their head and saying they're a Pastafarian and this is their religious headdress. If you refuse to let them wear the colander it's likely worse than if you do and really, it's their problem at the end of the day. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFPbHp9sTedWZOD3gYRAn+jAKCpMrt8HeaY7SueljFDSFZjlvaVnQCeOW0J FEHY8ekvvkN3bCWYrONi7Mw= =Apj2 -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
Jeffrey Walton writes: >Is there any benefit to using an exponent that factors? I always thought low >hamming weights and primality were the desired attributes for public >exponents. And I'm not sure about primality. Seeing a CA put a key like this in a cert is a bit like walking down the street and noticing someone coming towards you wearing their underpants on their head, there's nothing inherently bad about this but you do tend to want to cross the street to make sure that you avoid them. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
On 03/22/2012 11:29 PM, Jeffrey Walton wrote: > Is there any benefit to using an exponent that factors? I always > thought low hamming weights and primality were the desired attributes > for public exponents. And I'm not sure about primality. Not that I know of. At least Textbook RSA doesn't require primality, just coprimality to (p-1)(q-1). ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
Hi Guys, I came across the following certificate today on a RedHat box: http://www.dotcomhost.com/pleskinstaller/MivaVM/5.09/cgi-bin/certs/8317b10c.0. The thing that caught my eye was the public exponent of 50557. I know it factors to {13, 3889}. Is there any benefit to using an exponent that factors? I always thought low hamming weights and primality were the desired attributes for public exponents. And I'm not sure about primality. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography