Re: gnupg rsa question // why use e of 41 ?

Sebastian Gottschalk wrote:
>David Wagner wrote:
>> Have you seen any implementation mistakes in the wild that render the
>> library insecure with e=3 but secure with e=65537?
>
>As you already said: improper padding.

That's not an implementation mistake. That's a matter of using the wrong
algorithm entirely! If the spec says "use RSA-OAEP" but the programmer
actually implements some other algorithm (say, ROT13, because he thinks
ROT13 is nifty), that's not an implementation mistake.

Recall that I said "you don't need to use e=65537 if you use proper
padding"; if you respond by saying "well, but if you forget to use
proper padding, you might have wished you'd used e=65537", then you are
fundamentally agreeing with me, not disagreeing.

And, no, I didn't say that improper padding is an example of a mistake
that makes e=3 insecure but e=65537 secure. With improper padding,
even e=65537 is insecure. An improperly padded e=65537 RSA library
may well be "less insecure" than an improperly padded e=3 RSA library,
in the sense that it takes more work to exploit it (e.g., more chosen
messages), but neither is acceptable, and both are still insecure.
Received on Mon May 1 02:06:27 2006