[messaging] "Keybase Attack" on RSA signatures

Maxwell Krohn themax at gmail.com
Wed Sep 10 05:26:37 PDT 2014

> Indeed; as best I can tell, keybase.io's OpenPGP implementation is not checking any of the RSA cryptosystem's validity conditions. (Neither does Google's E2E. GnuPGP and PGP check some, but not all.) What RSA public key consumers should check, in rough order of importance:
> gcd(n, e) == 1
> n mod 2 == 1
> 1 < e <= 2^16+1
> is_prime(e)
> (Note that the last two are more restrictive than the sufficient conditions for validity. There is no particular reason to be more lenient, however. It is also nice to check that n can't be factored by trial division or random ECM instances for rho, lambda, and p-1, but this is impractical for JS implementations.)

Thank you for these suggestions, I’ll incorporate them into the Web client. The command-line client shells out to GnuPG so should be partially covered.

Are there analagous checks recommended for DSA and ECDSA keys?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140910/c9916514/attachment.sig>

More information about the Messaging mailing list