OpenSSL "genpkey dsa_paramgen_bits:256" - DSA Short Keys

Q

How to generate a new DSA key pair with a shorter key size using OpenSSL "genpkey" commands?

✍: FYIcenter.com

A

If you need a new DSA key pair with a shorter key size for testing purpose, you can use the OpenSSL "genpkey -pkeyopt dsa_paramgen_bits:nnn" command. The "-pkeyopt dsa_paramgen_bits:nnn" option specifies the size of the DSA key to be generated in number of bits. The default is 1024 bits.

Remember DSA key generation is a 2-step process as shown below:

C:\Users\fyicenter>\local\openssl\openssl.exe

OpenSSL> genpkey -genparam -algorithm dsa -out dsa_test.prm 
   -pkeyopt dsa_paramgen_bits:256

..+..+..............+..........+++++++++++++++++++++++++++++++++++++++++++++++++
++*
.............+....+..+.......................+.............+.+++++++++++++++++++
++++++++++++++++++++++++++++++++*

OpenSSL> genpkey -paramfile dsa_test.prm -out dsa_test.key

OpenSSL> pkey -in dsa_test.key -text -noout
Private-Key: (512 bit)
priv:
    5e:24:f6:13:68:b3:47:65:66:0b:d8:b2:d8:b9:61:
    97:1c:28:1c:10
pub:
    00:a7:78:fb:f5:ab:1e:97:f3:5c:b3:ed:54:d0:f1:
    1c:e5:65:74:28:94:7f:4a:58:29:db:c2:df:31:66:
    c4:fe:2b:e7:c7:4f:15:45:da:fb:ae:e1:e2:65:33:
    9d:cb:e0:26:4f:3e:0e:2f:a5:01:c6:6d:b5:e4:ca:
    51:ab:89:47:6e
P:
    00:bc:88:82:2f:8e:14:2d:4f:39:26:c5:4c:a1:47:
    f9:03:64:75:dc:83:a5:44:26:0c:52:71:b5:05:69:
    e7:35:20:c7:71:76:ce:1c:c9:a8:71:cb:5a:8c:e5:
    c8:33:88:8f:ba:0b:a3:95:0b:6a:a2:27:9b:72:03:
    fe:cf:50:d5:b7
Q:
    00:ea:00:c0:7f:9b:d0:b4:4d:50:8c:c9:c3:89:b3:
    cb:25:79:d5:6f:77
G:
    00:8b:08:f7:0f:9c:24:72:a3:9c:e4:a9:b6:6f:64:
    a6:b1:c1:b5:a4:49:21:df:9d:64:ed:23:9f:31:5e:
    89:39:a6:2d:02:14:42:65:ef:d7:e3:3c:24:dc:a7:
    eb:9b:34:e2:1f:46:12:a1:13:c1:8c:31:51:2b:c5:
    ad:5c:5f:96:ee

What this test tells us:

  • OpenSSL allows you to generate shorter DSA keys. The shortest ones with the "genpkey" commands are 256 bits. But don't use them in production systems. Any keys less than 2048-bit long is considered as unsafe.

 

OpenSSL "genpkey" Command for DSA Keys

⇒⇒OpenSSL Tutorials

2017-12-13, 559👍, 0💬