[147648] in cryptography@c2.net mail archive
Re: [Cryptography] SSH small RSA public exponent
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Sat Oct 12 02:21:55 2013
X-Original-To: cryptography@metzdowd.com
Date: Sat, 12 Oct 2013 13:41:10 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: cryptography@metzdowd.com, tjh@cryptsoft.com
In-Reply-To: <52579433.8000801@cryptsoft.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Tim Hudson <tjh@cryptsoft.com> writes:
>Does anyone recollect the history behind and the implications of the (open)
>SSH choice of 35 as a hard-wired public exponent?
/* OpenSSH versions up to 5.4 (released in 2010) hardcoded e = 35, which is
both a suboptimal exponent (it's less efficient that a safer value like 257
or F4) and non-prime. The reason for this was that the original SSH used
an e relatively prime to (p-1)(q-1), choosing odd (in both senses of the
word) numbers > 31. 33 or 35 probably ended up being chosen frequently so
it was hardcoded into OpenSSH for cargo-cult reasons, finally being fixed
after more than a decade to use F4. In order to use pre-5.4 OpenSSH keys
that use this odd value we make a special-case exception for SSH use */
Peter.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
