[cabfpub] RFC5280

Thu Feb 25 09:45:01 UTC 2016

> -----Original Message-----

> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]

> On Behalf Of Geoff Keating

> Sent: Thursday, February 25, 2016 5:16 AM

> To: Jeremy Rowley

> Cc: public at cabforum.org

> Subject: Re: [cabfpub] RFC5280

>

>

> > On 24 Feb 2016, at 1:08 PM, Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>

> wrote:

> >

> >

> > It is not clear to me in what way 2047 == 2048 and why the same logic can’t

> be applied repeatedly to say that 1024 == 2048.

> >

> > [JR] See Peter Bowen's email for the explanation:

> > " I think there is a misunderstanding here. There has never been a

> requirement that the modulus contain a certain number of bits set to ‘1’.

> What is required is that the modulus be a 2048-bit number.  The problem is

> that a 2048-bit number can have one or more of the high order bits being zero.

> When calculating the modulus “size”, all an observer can do find the

> left-most bit set to ‘1’ and use that.  RSA moduli normally are the product

> of two prime numbers. OpenSSL and some other generating tools have a

> function that makes the top bit of each prime number to be 1 which ensures

> the result will have the top bit set to 1.  However a random prime could be

> smaller, resulting in a smaller results.”

>

> I think this is incorrect.  A 2048-bit number is a number between 2^2047 and

> 2^2048-1.

I think the 2047-bit/2048-bit issue is related to the ASN.1 DER Encoding of Integer.

ASN.1 DER uses "two's complement representation" for encoding integer values. In

two's complement representation, the first bit (the most significant bit) determines

whether a number is positive or negative. This means that sometimes an extra leading

zero byte needs to be added to prevent the first bit from causing the integer to be

interpreted as a negative number. Since the RSA modulus must be a positive integer, its

the most significant bit in ASN.1 DER encoding must not be 1. That means if you want

to generate a RSA modulus with its effective number of bits be 2048 (that is the first bit

of the first byte is 1), an extra leading zero byte (00) needs to be added in its ASN.1 DER

encoding, this will make the number of "bytes" of its ASN.1 encoding be 257 rather than

256. I believe that most up-to-dated implementation of RSA key generators will strictly

generate modulus with exact number of effective bits specified by the user. That is, if

the user request the RSA key generator to generate a 2048-bit RSA key, the modulus

generated will be a 256-byte octet string with first bit of the first byte being 1, and thus

an extra leading zero byte (00) will be added in its ASN.1 DER encoding, which means

the length of its ASN.1 DER encoding should be always 257 bytes.

The following is an example of the ASN.1 DER encoding of the value of a 2048-bit RSA

modulus, please note the extra leading zero byte (00).

00 C9 F6 E7 34 E7 73 FE C6 66 92 06 E4 26 15 E6

65 CC AF 90 44 04 AB AE C3 3D 84 B7 75 AA 8D E7

41 DB 28 17 CF CB D9 2A F6 DC B1 69 7C 5D E6 5D

FF DD 79 B5 89 70 38 A2 2A A2 45 C6 6B FA EA FC

3A CD 39 A2 FD 36 AE 18 A7 E4 FF C4 A6 6B 7D 9F

19 C3 AF FC 4C 67 1D 50 5E 86 49 43 8B B0 CC 2D

59 62 3E 58 90 89 1A A2 62 E4 DB 17 F3 80 98 CB

0C CC F2 5A 7E DC 7E 37 90 2A 12 A9 4D 78 B1 46

AE BF C8 5A DC EC 0A 5C 2B A5 0C A6 60 81 CE 0F

32 4A 2A DD 7B 23 D7 44 9A 06 CA 1C F4 C1 88 A6

62 6B C7 0B 6B DE 9C 51 95 BD C8 AF 2A 8C 9F DC

99 4F 35 28 94 A9 EF A0 FD 04 0D 0A 4A 71 FA DF

A4 C5 D1 CC D5 BB B0 1E A7 00 A4 C7 D4 C4 FE E5

10 D8 C5 69 10 E7 90 EF 65 95 57 3C 0B A2 A9 42

A1 87 65 07 9E A2 E1 34 C0 D8 D6 6D 0E 63 85 D2

03 87 9F ED 65 AA E0 BA 93 31 6A 0D F2 4F 25 17

FC

However, there might exists some implementations which might not generate

exact number of bits specified by the user. For example, if an implementation

generates a 256-byte with the first bit of the first byte is 0. In such a situation, the

effective number of bits is actually 2047 but it is perfectly be a positive integer in

the ASN.1 DER Encoding and thus no extra leading zero byte (00) is needed.

Will we accept this kind of 2047-bit RSA modulus? Or even accepting the range

of 2041-bit to 2047-bit modulus? (because the leading first to seventh bits might

be 0)

Currently, our CA implementation will reject 2047-bit modulus and our

implementation of key generator will always generate keys with exact number

of effective bits specified by the user. However, I do not think allowing only a

few leading zero bits in keys will endanger the security. Personally, I am neutral

to this 2047-bit/2048-bit issue. If the final decision is that the key should be exactly

2048 bits, that will be fine for me. If the final decision will allow a little relax about

the exact effective bits, that will be also fine for me.

Wen-Cheng Wang

Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited.  Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160225/3a33c3e1/attachment-0003.html>