

Why RSA encryption padding is critical (cool RSA implementation flaw) - tptacek
http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/

======
jsc
A generalization of the attack (and many more attacks) is given in:
<http://crypto.stanford.edu/~dabo/papers/RSA-survey.pdf>

------
miloshh
The attack seems to be based on the arbitrary assumption that e=3. Isn't e
always a huge number in practice?

~~~
sid0
Yes. 65537 is commonly used.

~~~
NateLawson
The lower your public exponent in RSA, the faster you can verify signatures.
So e=3 is still used quite often in embedded applications. It can be secure if
used properly, but for most cases, it is safer to use 65537 as that can
protect you from actual exploitation even if you have a variety of
implementation bugs.

------
sid0
Hell, even if you do send just one message and do pad it, but the padding
sucks (i.e. is known to the adversary) and e is small, you can use
Coppersmith's theorem to break the encryption.

This is really just reason number 242151205 why you shouldn't attempt to build
your own crypto system.

~~~
NateLawson
I don't think that's correct. Coppersmith's attack requires at least 2
messages. You're talking about the paper "Low-Exponent RSA with Related
Messages (1996)" right?

[http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.33.6...](http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.33.6527)

~~~
sid0
No... what I'm referring to is given in
<http://crypto.stanford.edu/~dabo/papers/RSA-survey.pdf> \-- basically using
LLL to bring the numbers down to below the RSA modulo. (I know it works,
because I wrote Mathematica code to implement it. :) )

------
gcb
slightly OT, but another good anecdote about buggy RSA implementation

[http://media.ccc.de/browse/congress/2008/25c3-2799-en-
consol...](http://media.ccc.de/browse/congress/2008/25c3-2799-en-
console_hacking_2008_wii_fail.html)

*edit: it's about Team Tweezer exploiting the RSA implementation on nintendo's Wii to run unsigned code.

