![]() ![]() ![]() openssl dhparam -dsaparam -out /etc/ssl/private/dhparam.pem 4096 The reasonable solution would be to add the -dsaparam option. This is only averages each individual generation may be faster or slower, depending on your luck. When going from 2048-bit to 4096-bit, the density of strong primes is divided by 4, and the primality tests will also be about 4 times slower, so if generating a 2048-bit DH modulus takes 1 hour on average, the same machine with the same software will use an average of 16 hours for a 4096-bit DH modulus. Random odd 4096-bit integers are probability about 1/2000 to be prime, and since both p and ( p-1)/2 must be prime, this will need on average generating and testing for primality about 4 millions of odd primes. ![]() The prime generation algorithm looks like this: A "strong prime" is a prime p such that ( p-1)/2 is also prime. When you use dhparam, OpenSSL not only generates DH parameters it also wants to assert his social status by taking care to use for the modulus a so-called "strong prime", which is useless for security but requires an awful lot more computational effort. OpenSSL is actually sane in that respect, and uses a cryptographically secure PRNG to extend an initial seed into as many bits as it needs. If openssl uses a lot of CPU then it is not blocked waiting for "entropy". ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |