I need to generate RSA keys using a different public exponent from the
default one used by the RSACryptoServiceProvider (65537, {1,0,1}). The
reason I need to do this is that I am currently writing software which
communicates with a device that annoyingly assumes the public exponent
of the 1024 bit modulus you send it is 3 (non-configurable on the
device).

Does anyone know if this is possible using the .NET crypto classes or
am I doomed to write a lot of code to generate keys myself?

Many thanks

Kris Sheglova

Hi,
unfortunately, in your case you'll need to generate keypair yourself.

BTW: 3 is a tricky public exponent. If you use 3 as public exponent you
have to be sure that you use OAEP for encryption and PSS for signature.
Also you have to be absolutely sure that you or your partners don't
have implementation errors. Daniel Bleichenbacher is continiously
demonstrating attacks on buggy implementations with exponent 3 on PKCS
1.5 padding since 1998. This year, on Crypto 2006 he has demonstrated
how to manually forge sighature with exponent 3 and a buggy verifier,
that he has actually found at least one open source implementation
having a bug allowing the attack. Daniel is trying to convince people
to stop using RSA keys with exponents of 3. Even if your own
implementation is not vulnerable to this attack, there's no telling
what the other guy's code may do.  And he is the one relying on your
signature...

-Valery.
http://www.harper.no/valery


Kris wrote:
Show quoteHide quote

Hello!
You wrote  on 6 Sep 2006 12:08:41 -0700:

VP> 1.5 padding since 1998. This year, on Crypto 2006 he has demonstrated
VP> how to manually forge sighature with exponent 3 and a buggy verifier,
VP> that he has actually found at least one open source implementation
VP> having a bug allowing the attack. Daniel is trying to convince people

He-he, why don't you say it's OpenSSL, which you advertise from time to time
....

SecureBlackbox uses other exponent (65537) btw and can be used to generate
the RSA keys.

With best regards,
Eugene Mayevski
http://www.SecureBlackbox.com - the comprehensive component suite for
network security

Eugene Mayevski wrote:
Because it was not OpenSSL

If you would read OP's question you'd probably know that OP is
specifically asked about public exponent 3 which is requirement on the
device.

(also see my previous comments regarding your product)

-Valery
http://www.harper.no/valery

Hello!
You wrote  on 7 Sep 2006 00:52:19 -0700:

??>> He-he, why don't you say it's OpenSSL, which you advertise from time
??>> to time ...
VP> Because it was not OpenSSL

It was. http://www.security.nnov.ru/Gnews574.html
If you know other open-source product vulnerable to the attack, name it.

With best regards,
Eugene Mayevski
http://www.SecureBlackbox.com - the comprehensive component suite for
network security

Eugene Mayevski wrote:
thanks for the link!
It didn't look that OpenSSL was the product mentioned in Daniel's talk,
but since he mentioned no name... it might be it...
I must admin that's a bit scary to find that such widely reviwed
library have the bug allowing Bleichenbacher's attack.

-Valery.
http://www.harper.no/valery

Encrypt/Decrypt Username Password using Public Key
How to determine required privileges?
Accessing certificate services with .net
security problem with xp_cmdshell
What User/Security Principal Is Needed to Access Network Via Serv
what about LDAP?
ActiveDirectoryMembershipProvider against non microsoft LDAP
caspol -addpset
IOPermission while saving configuration file
How do we become a trusted publisher so ClickOnce works smoothly?