Re: Key size for server

Fri, 23 Mar 2001 07:55:55 -0800 

Pradeep,

    You are a troublemaker ;)

    Microsoft's CryptoAPI CSP architecture requires RSA primes to be a
multiple of 8 bits in length, which in turn forces moduli to be a multiple
of 16 bits in length. Since IE uses one of the MS CSP's, I would assume only
moduli which are a multiple of 16 bits in length would work. On the other
hand, I wouldn't be surprised to find that moduli whose size is 8 mod 16
also work; the MS CSP just can't generate keys like that. The docs for
RSAPUBKEY say the bitlen must be a multiple of 8.

    As for the smallest key size, PKCS#1 block type 2 padding uses up 11
bytes of the RSA payload, so the smallest modulus would be 48+11=59 bytes,
or 472 bits. You should not use such small moduli, however.

_____________________________________
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_____________________________________



----- Original Message -----
From: "Pradeep kamath" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 23, 2001 9:00 AM
Subject: Key size for server


> Hello all,
>  Iam using "openssl req" command to generate a private key and
> certificate request for a
> pache-mod_ssl server. Here I have to specify the keysize in bits...
> For all sizes greater than 384 I generate a key and request
> successfully  ..Iam also able to get a certificate and install it.
> But with this certificate and a 384 bit key the browser is unable to
> connect to the server..
> I had earlier put this query..I was suggested to change the size to 1024
> or greater moduli
> I tried a 1024 bit key ..everything was fine...
> But whenI tried a 1025 bit private key Netscape browser connected
> fine..but IE did not connect.
>
> Is there some particular size(s) for which the browsers work??
> Any help will be greatly appreciated.
>
> TIA,
> Pradeep
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to