Re: [Cfrg] draft-irtf-cfrg-curves-07
Thomas Pornin <pornin@bolet.org> Fri, 04 September 2015 13:42 UTC
Return-Path: <pornin@bolet.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBD111B3A59 for <cfrg@ietfa.amsl.com>; Fri, 4 Sep 2015 06:42:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.388
X-Spam-Level: *
X-Spam-Status: No, score=1.388 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_31=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id stQX1Vvl28kd for <cfrg@ietfa.amsl.com>; Fri, 4 Sep 2015 06:42:34 -0700 (PDT)
Received: from brontes.bolet.org (brontes.bolet.org [62.210.214.227]) by ietfa.amsl.com (Postfix) with ESMTP id 18D441B2D9B for <cfrg@irtf.org>; Fri, 4 Sep 2015 06:42:33 -0700 (PDT)
Received: by brontes.bolet.org (Postfix, from userid 1000) id 21F0E20D41; Fri, 4 Sep 2015 15:42:03 +0200 (CEST)
Date: Fri, 04 Sep 2015 15:42:03 +0200
From: Thomas Pornin <pornin@bolet.org>
To: Michael Hamburg <mike@shiftleft.org>
Message-ID: <20150904134203.GA4792@bolet.org>
References: <CY1PR0301MB119540063747E1C326904D59956B0@CY1PR0301MB1195.namprd03.prod.outlook.com> <CAMfhd9UW8w4dv79xRxxYLRnugjin6g2B0CD2KQJv2bVMxdNAdg@mail.gmail.com> <B7A5417C-78EC-455D-8374-FAB0EBB1A544@shiftleft.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <B7A5417C-78EC-455D-8374-FAB0EBB1A544@shiftleft.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/lI9snttc8zadCJVrCbnn2BZlccg>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] draft-irtf-cfrg-curves-07
X-BeenThere: cfrg@mail.ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.mail.ietf.org>
List-Unsubscribe: <https://mail.ietf.org/mailman/options/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@mail.ietf.org>
List-Help: <mailto:cfrg-request@mail.ietf.org?subject=help>
List-Subscribe: <https://mail.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2015 13:42:36 -0000
On Thu, Sep 03, 2015 at 05:58:55PM -0700, Michael Hamburg wrote: > Out of curiosity, how is this specified for RSA? Are implementations > required to accept any (N,e)? What if one or both are even? As per PKCS#1, implementations are only required to correctly process "valid RSA public keys". A RSA public key is valid consists in (n,e) where n is a product of u distinct primes (u >= 2), and e is an integer between 3 and n-1 such that GCD(e, lambda(n)) = 1. From these rules, we can infer that in a valid RSA public key, n and e MUST be odd. As far as I can see, there is no rule that mandates any kind of verification of the public key. An implementation MAY reject a public key with an even n or an even e, but is not required to. In any case, a verifier cannot fully check that a RSA public key is valid (e.g. it cannot easily check that the prime factors of the modulus are distinct). To put things into perspective, nothing in PKCS#1 says that, say, 400-bit RSA keys should be rejected (except when using a hash function such that the padded size would simply not fit in the modulus). Yet many implementations will reject such key sizes, and nobody clamours about the non-compliance of such a behaviour. In fact, it is generally considered a good thing to refuse to use a public key which is way too small to achieve decent security. In practice, an even modulus messes up with Montgomery multiplication; to support exponentiations modulo an even n, one must include some specific extra code. An RSA implementation that uses a generic big-integer library (say, a Java implementation that runs over java.math.BigInteger) may accept an even modulus and compute the "proper" value x^e mod n. A dedicated RSA implementation will either reject an even modulus, or compute something else than x^e mod n, because it will lack the code for handling modular exponentiations modulo an even modulus. As for an even public exponent, there again, some implementations will accept it, others will reject, and I suppose that some will simply assume that the least significant bit is 1 and ignore the provided value (it depends on whether the implementation handles the exponent bits from least to most significant, or not). To give an actual example: Microsoft's implementation of RSA (CryptoAPI) used to accept e=1. It was even documented as a feature, to be used for simple plaintext extraction of symmetric key through key wrapping. In Windows 8.1, this ceased to work; I could not find any documentation about that change. I suppose the theory is that when you use a public key, whether for encryption or signature verification, then you already have validated that the public key is "the right one", and attack models with a corrupted public key then make no sense at all. This is the classic, X.509-certificates view of things, which may be restrictive. So, basically, PKCS#1 does not specify implementation behaviour against invalid public keys. Rejection is allowed, not mandated. --Thomas Pornin
- Re: [Cfrg] draft-irtf-cfrg-curves-07 Adam Langley
- Re: [Cfrg] draft-irtf-cfrg-curves-07 Michael Hamburg
- Re: [Cfrg] draft-irtf-cfrg-curves-07 Thomas Pornin