Yes, I understand the list of prime numbers is known; unfortunately, I can only implement the solutions my management agrees with. This code path is used for login authentication and has been used for a while, so I guess everybody thinks it's OK to use it.
Unfortunately, I also spoke too soon. I had a hack in the code I forgot about. When I removed it, the program still hanged, regardless of whether I was using v7 or v8 flags. They don't build 32-bit executables, do they? Is there anything else I could try? Thanks, Yuliya -----Original Message----- Ah, but isn't every prime your program generates somewhere on one of those lists of primes? Thus an attacker does already have a list of codes... ;-) Be aware of 2 things in dealing with prime generation from OpenSSL: The prime generation routine cannot generate small primes. To see what I mean you can try generating a prime with 1 bit of length, 2 bits of length, 3 bits of length, etc. You should therefore range check any input you send to these routines to insure that the primes you want are not under 64 bits in length The routine doesen't guarentee the numbers it generates is prime. It only guarentees that it will NOT pass a number to you that is NOT prime. Basically, you have a 99.5% (or better depending on who you talk to) chance that any given number you get is prime. If you are using the primes as part of crypto key generation they are sufficient for this. If you are using them for some kind of scientific proof or some such, you really need to scrap all of this and replace it with a prime generation routine. Ted ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
