"Lucky Green" <[EMAIL PROTECTED]> writes:
>1) Very, very few applications, and no cryptographic libraries that I am aware
>of, that currently employ RSA perform any kind of sanity check on the size of
>the keys.
There are both applications and crypto libraries which perform fairly extensive
checking on keys. However, it's not as simple as you describe:
- GPG and (I believe) NAI PGP perform a pile of sanity checks which among other
things are designed to make the Klima-Rosa attack a lot more difficult to
pull off. This works because PGP knows it's only going to be fed keys from
other PGP implementations, so it doesn't have to put up with the quirks and
oddities of random software.
- CryptoAPI expects keys to be in a certain format based on its own
public/private key blob format, and crashes if they're not. It doesn't seem
to do any validation of parameters, and there's even a MSKB article telling
you how to use an RSA key with e=1 to export plaintext secret keys (!!).
This is the opposite end of the scale from the GPG/PGP approach.
- For crypto libraries, which have to be able to accept keys from all sorts of
weird sources, it's difficult to get it right. For example I perform a pile
of checks on RSA keys (n = p * q, ( d * e ) mod p-1 == 1 and ( d * e ) mod
q-1 == 1, ( q * u ) mod p == 1, etc [0], the standard stuff from the Klima-
Rosa paper) and the FIPS 186 checks on DLP keys. As a result, I keep getting
complaints from people whose weird keys are being rejected by my code. My
standard response to this is "You've got the source code, if you want to use
strange key parameters you can change the source to allow it" (transl."If you
want to hang yourself, the rope's over there"), but that hardly works for
commercial products.
As a result, (most) crypto libraries will continue to allow any old garbage as
key values. User perception is more important than security.
Peter.
[0] Speaking of RSA sanity checks, can anyone provide a sensible explanation
why OpenSSH uses e=35? I can think of several reasons why you wouldn't
want to use this, but no sensible argument in support of it.
