OpenSSL "genpkey dh_paramgen_prime_len:3072" - DH Long Keys

Q

How to generate a new DH key pair with a longer key size using OpenSSL "genpkey" command?

✍: FYIcenter.com

A

If you need a new DH key pair with a longer key size for testing purpose, you can use the OpenSSL "genpkey" command as shown below:

C:\Users\fyicenter>time
The current time is: 22:17:06.45
  
C:\Users\fyicenter>\local\openssl\openssl
OpenSSL> genpkey -genparam -algorithm dh -out dh_test.prm 
   -pkeyopt dh_paramgen_prime_len:3072
................................

OpenSSL> exit
C:\Users\fyicenter>time
The current time is: 22:33:53.68

C:\Users\fyicenter>\local\openssl\openssl
OpenSSL> genpkey -paramfile dh_test.prm -out dh_test.key

OpenSSL> pkey -in dh_test.key -text -noout
DH Private-Key: (3072 bit)
    private-key:
        63:de:f3:5c:8f:36:6a:1d:73:3f:a6:36:f9:a0:ae:
        33:db:99:04:61:9a:4b:2d:90:ed:af:99:12:46:1b:
        2d:09:be:3c:8c:0c:3d:da:05:36:64:d4:7a:93:d5:
...

What this test tells us:

  • The "-pkeyopt dh_paramgen_prime_len:n" option controls the size of DH key generation parameters and keys. The default value is "dh_paramgen_prime_len:1024"
  • OpenSSL allows you to generate longer DH keys.
  • Using OpenSSL "genpkey -genparam" command to generate 3072-bit DH parameters takes more than 7 minutes on a laptop computer.
  • Using OpenSSL "genpkey -genparam" command to generate 4096-bit DH parameters takes more than 20 minutes on a laptop computer.

 

OpenSSL "genpkey dh_paramgen_generator:3" - DH Param Generator

OpenSSL "genpkey dh_paramgen_prime_len:256" - DH Short Keys

OpenSSL "genpkey" Command for DH Keys

⇑⇑ OpenSSL Tutorials

2017-07-25, 1353👍, 0💬