ietf-openpgp
[Top] [All Lists]

Re: RSA Key spec question

1998-04-10 11:29:33
At 10:33 AM 4/3/98 -0500, tzeruch - at - ceddec - dot - com wrote:
E is 17 in pgp, but often 3 or 65567 elsewhere.  I know why 2**N+1, but is
there anything that should be said about this in the spec?

(Testing 2.6.2 v.s. SSLeay from long ago proved that any value of E worked
in either; But only some could be generated, or would be by default).

Bill Stewart writes:
The spec says that PKCS1 padding is required for the encrypted
session key packet, but it doesn't explicitly say that
in a message with multiple recipients, EVERY encrypted session
key packet needs to use a different random padding, as opposed to 
making one copy of m and encrypting it separately with each key.
This needs to be fixed.

The issue is preventing the low-exponent attack on RSA,
which is a particular risk for e=3, but occasionally messages
will have more than e=17 RSA-using recipients.

Indeed.  My PGP keyring may be odd, but I have several PGP keys
that have exponents other than e=17:  Richard Outerbridge's,
Arnold Reinhold's, David Stoler's, and the IETF Registrar's all
use 65537, and Christopher Drake (0xC0DED00D) has a 69-bit
exponent.  I'm guessing that's not an accidental number. :)

        Jim Gillogly

<Prev in Thread] Current Thread [Next in Thread>
  • Re: RSA Key spec question, Jim Gillogly <=