[dns-operations] [Ext] Re: (struct DNSSEC_DNSKEY_RR *) Exponent lengths
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Aug 9 16:43:58 UTC 2018
On Thu, Aug 09, 2018 at 03:56:20PM +0000, Edward Lewis wrote:
> Took a while to get back to this, using the same data set (6 Aug):
>
> On 8/8/18, 12:18, "dns-operations on behalf of Viktor Dukhovni" <dns-operations-bounces at dns-oarc.net on behalf of ietf-dane at dukhovni.org> wrote:
>
> >The numbers you quote look perturbed by noise from *DSA.
>
> I decided to pull the exponents too. It's not just DSA. Sorted by exponent length and value, leaving in DNSSEC security algorithm and key length.
Running your data through:
egrep -v DSA- | awk '{print $2,$3,$4,$5}' | sort | uniq -c | sort -nr
gives:
11 RSA-SHA256 1024 02 FF39
6 RSA-SHA1-N 2048 02 FFFF
4 RSA-SHA512 1024 02 FF39
3 RSA-SHA256 2048 02 FF39
3 RSA-SHA1 2048 04 40000003
3 RSA-SHA1 1024 04 40000003
2 RSA-SHA512 2048 02 FF39
1 RSA-SHA512 2048 02 FFFF
which is basically (a subset of) what I reported:
domains | exp
---------+--------------
6767769 | 0x010001 prime: F_4
13011 | 0x0100000001 composite: F_5 = 641 x 6700417
439 | 0x03 prime: F_0
48 | 0xff39 composite: 65337 = 3 x 29 x 751 (typo for 65537)
34 | 0x40000003 prime: 1073741827
20 | 0xffff composite: 65535 = F_0 x F_1 x F_2 x F_3
By far the most common "unexpected" exponent is F_5, I don't know
why it is so popular. No obvious gain in security, and of course
reduced performance. Adam Langley's advice to use e=3 (F_0) is
clearly not getting much traction.
--
Viktor.
P.S. The DSA keys don't have the same structure and so we can't
meaningfully extract exponents. A DSA public key in group (p,g,q)
with g the generator of a sub-group of prime order q, is a public
key P=g^S (mod p) with S in [1,q-1] the secret (private) key.
There's no public exponent to look at in a DSA key.
More information about the dns-operations
mailing list