You asked three questions:
- What does this code do?
- Why is
1 bad? - Why was it replaced with
65537 ?
It looks like you have little cryptographic background, so I will also try to fill in some of the gaps.
What does this code do?
To understand why the original value of 1 was a broken choice, you need to understand a little how RSA works.
RSA is a cryptosystem - a way to generate keys, encrypt and decrypt - so you can safely send messages to other people. RSA is a member of the class with the name of the public key cryptosystem , because the key that you use to encrypt messages is publicly available and can be freely known to everyone. The key that you use to decrypt messages encrypted with your public key is secret and is known only to you, so we call it the private key .
If you see padlocks and keys as analog keys and private keys, you can see how this can work with real-world messages:
- Bob gives Alice a lock (his public key) and holds the key to the lock (his private key).
- Now, if Alice wants to send Bob a message, she puts the message in a box, puts her lock on the box and sends him a box.
- Only Bob has the key, so only Bob can unlock the lock and get inside the box.
RSA key generation requires three important numbers:
- "N", the product of two very large primes p and q
- "e", "public exhibitor"
- "d", "private exhibitor"
Most RSA security comes from the fact that it is very difficult to determine that d given by N and e . The public key in RSA consists of two numbers: <N,e> , and the private key <N,d> .
In other words, if I know what Bob’s padlock looks like, it must be very difficult to reprogram the key that will open Bob’s padlock.
Why is 1 bad?
1 is a bad choice because it makes it very easy to reverse engineer the key that will open Bob’s lock, which is the opposite of what we want.
The problematic section is as follows:
def gen_keys(keydir, keyname, keysize, user=None):
This is a Python snippet that generates an RSA key using e = 1 .
The relationships between N , e and d defined as follows:
d*e = 1 mod (p-1)(q-1)
But wait: if you choose e = 1 , as SaltStack did, you will have a problem:
d = 1 mod (p-1)(q-1)
You now have a secret key! Security is compromised as you can understand what d . That way, you can decrypt all the transmissions - you made it so that it’s trivial to get Bob’s key given his lock. Unfortunately.
This is actually getting worse. In RSA, encryption means that you have a message m for transmission that you want to encrypt with the public key <N,e> . The encrypted message c calculated as:
c = m^e (mod N)
So, if e = 1 , then m^e = m , and you have c = m mod N
But if m < N , then m mod N m . So you have:
c = m
The ciphertext is the same message text , so no encryption occurs at all! Double oops.
Hope this is clear why 1 is a bad choice!
Why is 65537 better?
65537 seems an unusual, arbitrary choice. You may wonder why, for example, we could not just choose e = 3 . The lower the e , the faster the encryption will be, because something needs to be done for encryption:
c = m^e (mod N)
and m^e can be very large when e is large.
It turns out that 65537 mainly refers to compatibility reasons with existing hardware and software, and for several other reasons. This Cryptography StackExchange answer explains this in detail.
With a suitable random padding scheme, you can choose almost any odd integer other than 1 without affecting security, so e = 3 otherwise is a choice that maximizes performance.