OpenSSL "genpkey dh_paramgen_prime_len:256" - DH Short Keys

Q

How to generate a new DH key pair with a longer key size using OpenSSL "genpkey" command?

✍: FYIcenter.com

A

If you need a new DH key pair with a longer key size for testing purpose, you can use the OpenSSL "genpkey" command as shown below:

C:\Users\fyicenter>\local\openssl\openssl

OpenSSL> genpkey -genparam -algorithm dh -out dh_test.prm 
   -pkeyopt dh_paramgen_prime_len:256
..+...............................+.......+...+.........+..........+.....+......
+....+.........+..+....+..........+...+.............+........+..........+.....+.
.............+............++*++*++*++*++*++*++*++*++*++*++*++*

OpenSSL> genpkey -paramfile dh_test.prm -out dh_test.key

OpenSSL> pkey -in dh_test.key -text -noout
DH Private-Key: (256 bit)
    private-key:
        6c:dc:6a:8e:20:70:0b:51:48:17:36:a1:40:7f:d7:
        b1:db:e2:44:b4:a2:e2:43:2f:b6:af:2a:a2:d5:c8:
        a3:34
    public-key:
        00:ae:1e:0c:de:f3:0f:f7:d8:55:d1:1e:a6:90:d0:
        20:51:7a:8e:72:3b:b2:53:d4:da:f2:99:e7:42:1d:
        13:88:19
    prime:
        00:de:a5:5b:2c:59:65:ad:ef:7e:66:48:13:af:8a:
        78:69:3c:80:b3:3c:77:82:44:20:ff:ca:6c:b6:9e:
        56:7b:2b
    generator: 2 (0x2)

What this test tells us:

  • The "-pkeyopt dh_paramgen_prime_len:n" option controls the size of DH key generation parameters and keys. The default value is "dh_paramgen_prime_len:1024"
  • OpenSSL allows you to generate shorter DH keys.
  • The shortest DH keys are 256-bit long.

 

OpenSSL "genpkey" Command for DH Keys

⇒⇒OpenSSL Tutorials

2017-09-01, 284👍, 0💬