On 08/20/2017 09:50 AM, Salz, Rich via openssl-users wrote:
If you generate 19 bytes or RAND output, it will never exceed 20 bytes encoded.
OpenSSL will be generating 159 bits of RAND output, so that it will never
exceed 20 bytes encoded. The command-line RAND program is bytes, the C API is
On 08/20/2017 09:32 AM, Viktor Dukhovni wrote:
On Aug 20, 2017, at 8:35 AM, Robert Moskowitz wrote:
It is 64 - 160 BITS
Correct, with the word "cryptographically random" somewhere in
there, for at least 64 of the bits.
Which is 8 - 20 OCTETS
Correct, since an "octet" is 8 bits.
or 4 - 1
If you generate 19 bytes or RAND output, it will never exceed 20 bytes encoded.
OpenSSL will be generating 159 bits of RAND output, so that it will never
exceed 20 bytes encoded. The command-line RAND program is bytes, the C API is
bits.
--
openssl-users mailing list
To unsubscribe: https://
> On Aug 20, 2017, at 8:35 AM, Robert Moskowitz wrote:
>
> It is 64 - 160 BITS
Correct, with the word "cryptographically random" somewhere in
there, for at least 64 of the bits.
> Which is 8 - 20 OCTETS
Correct, since an "octet" is 8 bits.
> or 4 - 10 BYTES
No, a "byte" nowdays is the same
It is 64 - 160 BITS
Which is 8 - 20 OCTETS
or 4 - 10 BYTES
And
openssl rand -hex n
Generates n BYTES
Thus what openssl does by default for a self-signed cert, e.g. a root CA
cert of a serial of 8 BYTES is indeed Best Practice, given that if the
first bit were ONE, the serial would then be
