> -----Original Message----- > From: [email protected] [mailto:[email protected]]
> On Behalf Of Geoff Keating > Sent: Thursday, February 25, 2016 5:16 AM > To: Jeremy Rowley > Cc: [email protected] > Subject: Re: [cabfpub] RFC5280 > > > > On 24 Feb 2016, at 1:08 PM, Jeremy Rowley > > <[email protected]<mailto:[email protected]>> > wrote: > > > > > > It is not clear to me in what way 2047 == 2048 and why the same logic can’t > be applied repeatedly to say that 1024 == 2048. > > > > [JR] See Peter Bowen's email for the explanation: > > " I think there is a misunderstanding here. There has never been a > requirement that the modulus contain a certain number of bits set to ‘1’. > What is required is that the modulus be a 2048-bit number. The problem is > that a 2048-bit number can have one or more of the high order bits being zero. > When calculating the modulus “size”, all an observer can do find the > left-most bit set to ‘1’ and use that. RSA moduli normally are the product > of two prime numbers. OpenSSL and some other generating tools have a > function that makes the top bit of each prime number to be 1 which ensures > the result will have the top bit set to 1. However a random prime could be > smaller, resulting in a smaller results.” > > I think this is incorrect. A 2048-bit number is a number between 2^2047 and > 2^2048-1. I think the 2047-bit/2048-bit issue is related to the ASN.1 DER Encoding of Integer. ASN.1 DER uses "two's complement representation" for encoding integer values. In two's complement representation, the first bit (the most significant bit) determines whether a number is positive or negative. This means that sometimes an extra leading zero byte needs to be added to prevent the first bit from causing the integer to be interpreted as a negative number. Since the RSA modulus must be a positive integer, its the most significant bit in ASN.1 DER encoding must not be 1. That means if you want to generate a RSA modulus with its effective number of bits be 2048 (that is the first bit of the first byte is 1), an extra leading zero byte (00) needs to be added in its ASN.1 DER encoding, this will make the number of "bytes" of its ASN.1 encoding be 257 rather than 256. I believe that most up-to-dated implementation of RSA key generators will strictly generate modulus with exact number of effective bits specified by the user. That is, if the user request the RSA key generator to generate a 2048-bit RSA key, the modulus generated will be a 256-byte octet string with first bit of the first byte being 1, and thus an extra leading zero byte (00) will be added in its ASN.1 DER encoding, which means the length of its ASN.1 DER encoding should be always 257 bytes. The following is an example of the ASN.1 DER encoding of the value of a 2048-bit RSA modulus, please note the extra leading zero byte (00). 00 C9 F6 E7 34 E7 73 FE C6 66 92 06 E4 26 15 E6 65 CC AF 90 44 04 AB AE C3 3D 84 B7 75 AA 8D E7 41 DB 28 17 CF CB D9 2A F6 DC B1 69 7C 5D E6 5D FF DD 79 B5 89 70 38 A2 2A A2 45 C6 6B FA EA FC 3A CD 39 A2 FD 36 AE 18 A7 E4 FF C4 A6 6B 7D 9F 19 C3 AF FC 4C 67 1D 50 5E 86 49 43 8B B0 CC 2D 59 62 3E 58 90 89 1A A2 62 E4 DB 17 F3 80 98 CB 0C CC F2 5A 7E DC 7E 37 90 2A 12 A9 4D 78 B1 46 AE BF C8 5A DC EC 0A 5C 2B A5 0C A6 60 81 CE 0F 32 4A 2A DD 7B 23 D7 44 9A 06 CA 1C F4 C1 88 A6 62 6B C7 0B 6B DE 9C 51 95 BD C8 AF 2A 8C 9F DC 99 4F 35 28 94 A9 EF A0 FD 04 0D 0A 4A 71 FA DF A4 C5 D1 CC D5 BB B0 1E A7 00 A4 C7 D4 C4 FE E5 10 D8 C5 69 10 E7 90 EF 65 95 57 3C 0B A2 A9 42 A1 87 65 07 9E A2 E1 34 C0 D8 D6 6D 0E 63 85 D2 03 87 9F ED 65 AA E0 BA 93 31 6A 0D F2 4F 25 17 FC However, there might exists some implementations which might not generate exact number of bits specified by the user. For example, if an implementation generates a 256-byte with the first bit of the first byte is 0. In such a situation, the effective number of bits is actually 2047 but it is perfectly be a positive integer in the ASN.1 DER Encoding and thus no extra leading zero byte (00) is needed. Will we accept this kind of 2047-bit RSA modulus? Or even accepting the range of 2041-bit to 2047-bit modulus? (because the leading first to seventh bits might be 0) Currently, our CA implementation will reject 2047-bit modulus and our implementation of key generator will always generate keys with exact number of effective bits specified by the user. However, I do not think allowing only a few leading zero bits in keys will endanger the security. Personally, I am neutral to this 2047-bit/2048-bit issue. If the final decision is that the key should be exactly 2048 bits, that will be fine for me. If the final decision will allow a little relax about the exact effective bits, that will be also fine for me. Wen-Cheng Wang Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
