Re: gnupg rsa question // why use e of 41 ?

daw@taverner.cs.berkeley.edu (David Wagner) writes:

>Sebastian Gottschalk wrote:
>>David Wagner wrote:
>>> Have you seen any implementation mistakes in the wild that render the
>>> library insecure with e=3 but secure with e=65537?
>>
>>As you already said: improper padding.

>That's not an implementation mistake. That's a matter of using the wrong
>algorithm entirely! If the spec says "use RSA-OAEP" but the programmer
>actually implements some other algorithm (say, ROT13, because he thinks
>ROT13 is nifty), that's not an implementation mistake.

Nuts. RSA without proper padding is still RSA. The manipulations are
identical. It is an implimentation mistake. And the ways to pad are legion.

>Recall that I said "you don't need to use e=65537 if you use proper
>padding"; if you respond by saying "well, but if you forget to use
>proper padding, you might have wished you'd used e=65537", then you are
>fundamentally agreeing with me, not disagreeing.

>And, no, I didn't say that improper padding is an example of a mistake
>that makes e=3 insecure but e=65537 secure. With improper padding,
>even e=65537 is insecure. An improperly padded e=65537 RSA library

Well, no. The probability of happening to have a clear text of length
1024/65537 is miniscule. So miniscule it is zero.

>may well be "less insecure" than an improperly padded e=3 RSA library,
>in the sense that it takes more work to exploit it (e.g., more chosen
>messages), but neither is acceptable, and both are still insecure.

Exactly which messages would you use to attack a non-padded implimentation
with an e of 65537?
Received on Mon May 1 02:06:30 2006