[cabfpub] RFC5280
王文正
wcwang at cht.com.tw
Thu Feb 25 09:45:01 UTC 2016
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Geoff Keating
> Sent: Thursday, February 25, 2016 5:16 AM
> To: Jeremy Rowley
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] RFC5280
>
>
> > On 24 Feb 2016, at 1:08 PM, Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>
> wrote:
> >
> >
> > It is not clear to me in what way 2047 == 2048 and why the same logic can’t
> be applied repeatedly to say that 1024 == 2048.
> >
> > [JR] See Peter Bowen's email for the explanation:
> > " I think there is a misunderstanding here. There has never been a
> requirement that the modulus contain a certain number of bits set to ‘1’.
> What is required is that the modulus be a 2048-bit number. The problem is
> that a 2048-bit number can have one or more of the high order bits being zero.
> When calculating the modulus “size”, all an observer can do find the
> left-most bit set to ‘1’ and use that. RSA moduli normally are the product
> of two prime numbers. OpenSSL and some other generating tools have a
> function that makes the top bit of each prime number to be 1 which ensures
> the result will have the top bit set to 1. However a random prime could be
> smaller, resulting in a smaller results.”
>
> I think this is incorrect. A 2048-bit number is a number between 2^2047 and
> 2^2048-1.
I think the 2047-bit/2048-bit issue is related to the ASN.1 DER Encoding of Integer.
ASN.1 DER uses "two's complement representation" for encoding integer values. In
two's complement representation, the first bit (the most significant bit) determines
whether a number is positive or negative. This means that sometimes an extra leading
zero byte needs to be added to prevent the first bit from causing the integer to be
interpreted as a negative number. Since the RSA modulus must be a positive integer, its
the most significant bit in ASN.1 DER encoding must not be 1. That means if you want
to generate a RSA modulus with its effective number of bits be 2048 (that is the first bit
of the first byte is 1), an extra leading zero byte (00) needs to be added in its ASN.1 DER
encoding, this will make the number of "bytes" of its ASN.1 encoding be 257 rather than
256. I believe that most up-to-dated implementation of RSA key generators will strictly
generate modulus with exact number of effective bits specified by the user. That is, if
the user request the RSA key generator to generate a 2048-bit RSA key, the modulus
generated will be a 256-byte octet string with first bit of the first byte being 1, and thus
an extra leading zero byte (00) will be added in its ASN.1 DER encoding, which means
the length of its ASN.1 DER encoding should be always 257 bytes.
The following is an example of the ASN.1 DER encoding of the value of a 2048-bit RSA
modulus, please note the extra leading zero byte (00).
00 C9 F6 E7 34 E7 73 FE C6 66 92 06 E4 26 15 E6
65 CC AF 90 44 04 AB AE C3 3D 84 B7 75 AA 8D E7
41 DB 28 17 CF CB D9 2A F6 DC B1 69 7C 5D E6 5D
FF DD 79 B5 89 70 38 A2 2A A2 45 C6 6B FA EA FC
3A CD 39 A2 FD 36 AE 18 A7 E4 FF C4 A6 6B 7D 9F
19 C3 AF FC 4C 67 1D 50 5E 86 49 43 8B B0 CC 2D
59 62 3E 58 90 89 1A A2 62 E4 DB 17 F3 80 98 CB
0C CC F2 5A 7E DC 7E 37 90 2A 12 A9 4D 78 B1 46
AE BF C8 5A DC EC 0A 5C 2B A5 0C A6 60 81 CE 0F
32 4A 2A DD 7B 23 D7 44 9A 06 CA 1C F4 C1 88 A6
62 6B C7 0B 6B DE 9C 51 95 BD C8 AF 2A 8C 9F DC
99 4F 35 28 94 A9 EF A0 FD 04 0D 0A 4A 71 FA DF
A4 C5 D1 CC D5 BB B0 1E A7 00 A4 C7 D4 C4 FE E5
10 D8 C5 69 10 E7 90 EF 65 95 57 3C 0B A2 A9 42
A1 87 65 07 9E A2 E1 34 C0 D8 D6 6D 0E 63 85 D2
03 87 9F ED 65 AA E0 BA 93 31 6A 0D F2 4F 25 17
FC
However, there might exists some implementations which might not generate
exact number of bits specified by the user. For example, if an implementation
generates a 256-byte with the first bit of the first byte is 0. In such a situation, the
effective number of bits is actually 2047 but it is perfectly be a positive integer in
the ASN.1 DER Encoding and thus no extra leading zero byte (00) is needed.
Will we accept this kind of 2047-bit RSA modulus? Or even accepting the range
of 2041-bit to 2047-bit modulus? (because the leading first to seventh bits might
be 0)
Currently, our CA implementation will reject 2047-bit modulus and our
implementation of key generator will always generate keys with exact number
of effective bits specified by the user. However, I do not think allowing only a
few leading zero bits in keys will endanger the security. Personally, I am neutral
to this 2047-bit/2048-bit issue. If the final decision is that the key should be exactly
2048 bits, that will be fine for me. If the final decision will allow a little relax about
the exact effective bits, that will be also fine for me.
Wen-Cheng Wang
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160225/3a33c3e1/attachment-0003.html>
More information about the Public
mailing list