Supported exponents for 4096 bit RSA keys on Nitrokey Pro

fishsoup · June 17, 2017, 11:10am

Does the Nitrokey Pro support loading an RSA4096 key with an exponent of 3, rather than the more usual 65537?

here’s an example APDU. The exponent is present after the 83 tag and here is 00 00 03. Normally you’d see 83 01 00 01.

=> 10 DB 3F FF FE 4D 82 01 95 A4 00 7F 48 08 91 03 92 81 C0 93 81 C0 5F 48 82 01 83 00 00 03 D1 8F F8 AF E5 45 DF 62 C4 09 91 00 7C B6 35 FA 81 DC E4 35 90 38 67 47 51 A3 58 03 F8 EC D1 93 13 28 3A 7C 38 29 62 20 6E C8 37 3F 5D F9 3D 65 98 90 69 31 01 C5 FE 74 BE 34 3C 6B C0 82 56 85 8C 59 E5 0B 7A A0 CE DE A4 CA CC DD 4D E7 52 B3 65 77 9D 16 F5 CB EA AF 34 92 04 6D E2 E5 C4 C5 7F BD 8C 33 23 64 05 8D 00 DE 62 C5 13 85 0E 4C AB 34 15 CF FE 5C 47 BB CD 68 6D DC 18 94 94 DC 9C FD BE 77 51 6B C3 BB B8 07 4C 6B CA 0A 8B F4 CF 4F C8 CC 53 73 C6 50 82 ED D0 28 9D B9 B5 47 14 39 E9 EB 6D 3F F8 1A 86 8A DF 4B 70 FD 6C B1 2E 2E E1 73 06 04 7D 94 A1 82 D6 F9 37 87 6D 0B D7 93 4F 94 89 29 B1 E2 C5 30 77 25 65 FB 7F 61 FF BE 92 96 F2 24 FE 3C 80 50 66 60 CD 7E 5C 09 9F BF C1 32 DF 00 DB 3F FF 9B 0C 59 C7 89 F8 19 F0 59 06 C7 4F C5 47 51 CA 48 F0 6C 92 12 47 85 08 9E B8 FF 5F A8 2C 6A F9 50 06 9E B5 CF 36 FF 46 1F 03 6D 62 34 F2 41 76 C1 46 AE 36 C2 DC B7 76 6E BF 41 FF 98 11 E5 B7 32 15 38 A5 E3 81 71 35 A8 5A DD E9 F1 68 80 FC 4D 4D 76 92 90 DB A4 19 A2 90 EE B5 20 90 34 73 B5 52 3D 77 D4 3D 4E 51 F4 20 42 C9 DF 9E C4 61 BF 93 7D 15 44 5B 80 3E 4A 02 49 72 18 F8 B4 3F 38 47 A0 55 7D F3 F2 92 D0 56 59 0D DD 7F 27 83 8C 0D 38 79 7D 40 6F 33 00 78 C2 91

thanks,

James.

jan · June 26, 2017, 3:20pm

We didn’t test it but it should work. For a definitive answer, you would need to try. However an exponent of 3 is not recommended from the security point of view.

fishsoup · July 29, 2017, 2:02pm

Thank you. Do you have any evidence to support your statement “an exponent of 3 is not recommended from the security point of view” ? There seems to be confusion on this point, the demonstrated attack on small exponents was actually a weakness in the padding not the exponent. Many hardware implementations use small exponents as they use far less silicon.

thanks,

James.

jan · August 3, 2017, 5:39pm

Here is an example:

Coppersmith’s attack describes a class of cryptographic attacks on the public-key cryptosystem RSA based on the Coppersmith method. Particular applications of the Coppersmith method for attacking RSA include cases when the public exponent e is small or when partial knowledge of the secret key is available. […]