[Cfrg] Risks of low-exponent RSA

[Brian Weis <bew at cisco.com>]

The MSEC WG document draft-ietf-msec-ipsec-signatures-01.txt applies RSA 
signatures as an IPsec authentication transform. The point of such an 
unusual-sounding operation is to provide a simple means of source origin 
authentication when IPsec SAs are used to protect group traffic. For 
example, a low-bandwidth stream of IP multicast packets where proving 
the source of the packet is critical.

During the working group last call period, someone mentioned that using 
a public exponent of 3 could increase performance of the transform. 
Speeding up the RSA verification would be welcome, but I am aware of the 
existence of attacks against low-exponent RSA. What I'd like to know is 
if they apply to this particular usage of RSA.

Many low-exponent attacks that I've found documented depend on identical 
or similar encrypted messages, and the guidance is use random padding. 
The draft requires the use of OAEP, which would seem to mitigate such 
attacks.

Any insight into other relevant low-exponent attacks would be appreciated.

Considering that the data being encrypted is the hash, I don't think 
attacks that would reveal plaintext of of direct concern. Attacks that 
would allow an attacker to create a valid signature would certainly be a 
concern.

Comments?

Thanks,
Brian

--
Brian Weis
Advanced Security Development, ITD, Cisco Systems
Telephone: +1 408 526 4796
Email: bew at cisco.com


_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg