fermat primes and dnssec-keygen bug?

Spain, Dr. Jeffry A. spainj at countryday.net
Wed Mar 7 04:07:28 UTC 2012

> I would recommend that dnssec-keygen starts ignoring the "-e" parameter that everyone has put in their scripts to prevent exponent 3 keys, who are not getting keys with exponent 4294967296 + 1 (F5)

> Alternatively, if this is done on purpose, I guess we should all migrate the 64 bit machines :)

As background, see the discussion of Fermat Numbers, e.g. F4 and F5, at http://en.wikipedia.org/wiki/Fermat_number. See also the role of the exponent in RSA public-key cryptography at http://en.wikipedia.org/wiki/RSA_(algorithm).

This is interesting, if I correctly understand your point, but it appears that dnssec-keygen computes F5 differently than you do in your example in http://code.google.com/p/go/issues/detail?can=2&start=0&num=100&q=&colspec=ID%20Status%20Stars%20Priority%20Owner%20Reporter%20Summary&groupby=&sort=&id=3161.

In your example:
	pubkey := new(rsa.PublicKey)
	pubkey.N = big.NewInt(0)
	pubkey.E = 4294967296 + 1
which results in 32-bit integer overflow.

In bind-9.9.0/lib/dns/opensslrsa_link.c, starting at line 750:
	if (exp == 0) {
		/* RSA_F4 0x10001 */
		BN_set_bit(e, 0);
		BN_set_bit(e, 16);
	} else {
		/* F5 0x100000001 */
		BN_set_bit(e, 0);
		BN_set_bit(e, 32);
where exp is nonzero if option -e is set in the original call to dnssec-keygen and e is a BIGNUM pointer initialized as 'BIGNUM *e = BN_new();'. I would surmise that e is not subject to integer overflow in its representation of F5. The BIGNUM type is a component of OpenSSL. See http://www.openssl.org/docs/crypto/bn.html. According to this document it supports arbitrary precision integer arithmetic subject only to memory allocation limits with no indication of a dependency on 32-bit or 64-bit CPU architecture. If there is a problem, I think it would be with OpenSSL rather than dnssec-keygen.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

More information about the bind-users mailing list