Re: [Cfrg] e=3 a bad idea?
David McGrew <mcgrew@cisco.com> Tue, 19 September 2006 20:02 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GPlni-0006RJ-JF; Tue, 19 Sep 2006 16:02:38 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GPlnh-0006Qy-Kb for cfrg@ietf.org; Tue, 19 Sep 2006 16:02:37 -0400
Received: from sj-iport-1-in.cisco.com ([171.71.176.70] helo=sj-iport-1.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GPlna-0000UP-9A for cfrg@ietf.org; Tue, 19 Sep 2006 16:02:37 -0400
Received: from sj-dkim-8.cisco.com ([171.68.10.93]) by sj-iport-1.cisco.com with ESMTP; 19 Sep 2006 13:02:30 -0700
Received: from sj-core-3.cisco.com (sj-core-3.cisco.com [171.68.223.137]) by sj-dkim-8.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k8JK2TL1002827; Tue, 19 Sep 2006 13:02:29 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-3.cisco.com (8.12.10/8.12.6) with ESMTP id k8JK2Tw7013266; Tue, 19 Sep 2006 13:02:29 -0700 (PDT)
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 19 Sep 2006 13:02:29 -0700
Received: from [192.168.1.100] ([10.32.254.210]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 19 Sep 2006 13:02:29 -0700
In-Reply-To: <20060919112103.8f2664d2.smb@cs.columbia.edu>
References: <20060919112103.8f2664d2.smb@cs.columbia.edu>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <BA2AB2C0-725D-4F3C-8CD5-A22B9FC6B255@cisco.com>
Content-Transfer-Encoding: 7bit
From: David McGrew <mcgrew@cisco.com>
Subject: Re: [Cfrg] e=3 a bad idea?
Date: Tue, 19 Sep 2006 13:02:25 -0700
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
X-Mailer: Apple Mail (2.752.2)
X-OriginalArrivalTime: 19 Sep 2006 20:02:29.0284 (UTC) FILETIME=[890D0E40:01C6DC26]
DKIM-Signature: a=rsa-sha1; q=dns; l=1779; t=1158696149; x=1159560149; c=relaxed/relaxed; s=sjdkim8002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:David=20McGrew=20<mcgrew@cisco.com> |Subject:Re=3A=20[Cfrg]=20e=3D3=20a=20bad=20idea?; X=v=3Dcisco.com=3B=20h=3DZCFP2QQCUs8EUO+GzPrZfVanvVc=3D; b=EPgQktMS/H4NL2hVXX/4uieATBxD1D5ruZrvdBG9JtlExWB5KzEBjtZ47GvZNNZjgXsZbVLa WjtbkPQvdz+3tzQcnZQMD4YyxqyU1Euksps3NO7ogYKP1MlJx6+F4pIb;
Authentication-Results: sj-dkim-8.cisco.com; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
Hi Steve, a BCP recommending RSA exponents sounds like a great idea to me. I share your concerns with e=3, though I'm not an expert in that area - for all I know that exponent may be regarded as acceptable under some circumstances. If so, it would be valuable to document those conditions, so I'm in favor of a BCP regardless. FWIW, there was a question about e=3 last year about whether or not that parameter choice was OK to recommend for use in RFC 4359 (http:// www1.ietf.org/mail-archive/web/cfrg/current/msg00597.html). It was mentioned that it might be OK to use e=3 with OAEP, but IIRC there was no discussion on this point (either for or against). David -- p.s. - a couple more attacks, which won't work against PKCS#1 AFAIK but which support your suggestion: Don Coppersmith: Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. J. Cryptology 10(4): 233-260 (1997) and http://citeseer.ist.psu.edu/coppersmith96lowexponent.html On Sep 19, 2006, at 8:21 AM, Steven M. Bellovin wrote: > Is it worth having a short BCP suggesting that e=3 is in general a bad > idea? I've seen several different attacks that all work against low > exponents, most recently Bleichenbacher's new attack on PKCS #1 v1.5. > (Two others are > http://www.rsasecurity.com/rsalabs/staff/bios/bkaliski/publications/ > hash-firewalls/kaliski-hash-firewalls-ct-rsa-2002.pdf > and http://www.cs.ucdavis.edu/~franklin/pubs/low_rsa.ps ). Yes, > all of > these require other factors to be effective, but what's the next > attack? > > --Steven M. Bellovin, http://www.cs.columbia.edu/~smb > > _______________________________________________ > Cfrg mailing list > Cfrg@ietf.org > https://www1.ietf.org/mailman/listinfo/cfrg _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] e=3 a bad idea? Steven M. Bellovin
- Re: [Cfrg] e=3 a bad idea? David McGrew
- Re: [Cfrg] e=3 a bad idea? Wan-Teh Chang
- Re: [Cfrg] e=3 a bad idea? Ben Laurie
- Re: [Cfrg] e=3 a bad idea? Steven M. Bellovin
- Re: [Cfrg] e=3 a bad idea? Steven M. Bellovin
- Re: [Cfrg] e=3 a bad idea? Wan-Teh Chang
- Re: [Cfrg] e=3 a bad idea? Steven M. Bellovin
- Re: [Cfrg] e=3 a bad idea? Daniel Brown