Hi List, I have a question which is partly OpenSSL specific and partly a more general Diffie-Hellman (parameter generation) question....
The background for my problem is that I'm writing an engine and am trying to implement the: int (*generate_params)(DH *dh, int prime_len, int generator, BN_GENCB *cb); function of the dh_method. This function, as per the internal OpenSSL implementation, expects the bit size of the prime and the value of the generator, however, the API that I'm calling through to expects the bit size of the prime and the 'Diffie-Hellman generator order' (as an unsigned long.) >From my understanding the 'Diffie-Hellman generator order' that they are refering to is the order of the cyclic subgroup GF(p)* whose generator is the same 'g' which the OpenSSL function takes as an input. The API allows me to retrive the generator as a result of the parameter generation process, the values of which are large and nothing like the 2 or 5 that OpenSSL expects as input to the DH_check() function. A sample application which comes with the API that I'm calling through to caluclates the generator order parameter as 7 * (prime_length/8). I haven't seen this relation before, and I wonder if it's secure for general use or how it can be explained? If anybody has any thoughts on this I'd be interested. Also, the primes that the other API generates are consistently found to be unsafe primes by the DH_check() function. I believe that this is due to the fact that the prime must satisfy p = jq + 1 however OpenSSL checks only for j = 2. (This I believe because the DH_check function checks the prime, then does a right shift on the prime and checks again.) I wonder if anybody is able to tell me whether the following hypothesis is correct: It's impossible to map from the generator value (openssl param) to the generator order (other API param) without first knowing the prime being generated (as it must fit the relation p = jq+1 where q is the order of the subgroup). The best that I can do in implementing the DH parameter generation function for my engine is to: - ignore the 'generator' parmeter which is passed to my engine's DH parameter generation function, - calculate the 'generator order', possibly using the 7 * (prime_len / 8) function above or some other relation between the prime length and the generator order, - place the received generator back into DH->g after generating the prime, - Expect the DH_check() to fail to check the generator always, and expect it to declare the generated prime to be unsafe with the knowledge that it is infact safe, however not according to the j=2 OpenSSL check. Thanks for reading this far, and I'd appreciate any light that anyone can shed on my problem, Jon Send instant messages to your online friends http://au.messenger.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
