trollins@debbie.telos.com (Tom Rollins) writes:

PGP 2.6ui has an undocumented feature.

When generating a Public/Secret key pair PGP documentaion shows the command "pgp -kg" as the way to generate the keys. I had posted about how pgp uses a small public key exponent of 17 which is 5 bits. It turns out that this is only the default setting. An Un-Documented feature in PGP 2.6ui (I don't know about other versions as I don't have source code for them) lets you specify the number of bits in your public key exponent. The command "pgp -kg keybits ebits" will let you specify this public key exponent size. For example "pgp -kg 1024 256" will generate a key with modulus of aprox 1024 bits and a public key exponent of 256 bits rather than the 5 bit default.

Too Bad pgp doesn't let you look at the public key exponent. I had to write some code to see them.

Questions: 1) In non-mathematical terms, if possible, what difference does this make in terms of security? 2) Does anyone know why is this undocumented? 3) What changes did you make? Sounds like it would be a well-received set of patches to be made public. (I'm well aware of the current arguments regarding algorithmic strength being no substitute for secure key management; I'm merely curious.)