generation of safe primes
I need to generate a safe prime which has the form 2p + 1 where p is also prime of a certain bit length (lets say 1024 bits). It is to be used in a DH key exch开发者_StackOverflowange.
I believe openssl can do this via
openssl gendh 1024
however this return's a base64 pem format
-----BEGIN DH PARAMETERS-----
MIGHAoGBANzQ1j1z7RGB8XUagrGWK5a8AABecNrovcIgalv1hQdkna2PZorHtbOa
wYe1eDy1t/EztsM2Cncwvj5LBO3Zqsd5tneehKf8JoT35/q1ZznfLD8s/quBgrH8
es2xjSD/9syOMMiSv7/72GPJ8hzhLrbTgNlZ+kYBAPw/GcTlYjc7AgEC
-----END DH PARAMETERS-----
How can I extract the safe prime number from this base64 pem?
is it easier to generate my own safe prime with my own code?
how can i test that a prime is 'safe' and of a certain bit length.
@GregS has an approach that will probably work for you. Based on what you have told me, I would just create a C binary and leverage the BN_generate_prime(...)
function in OpenSSL. That cuts out all of the intermediate parsing and despite adding a separate binary into the mix, it's probably easier than the road you are headed down.
I agree with the comments made by @Luke. However, if for some reason you must use openssl command lines there are a few options but they'll only get you so far. None of these will do any significant arithmetic for you; they won't retrieve (p-1)/2 and check it for primality.
You can use the openssl dh
command and parse the output. Try it with and without the -C
option to see which works better for you. Examples.
openssl gendh -out testdh.pem 1024
openssl dh -in testdh.pem -noout -C
openssl dh -in testdh.pem -noout
If you can handle or prefer binary then you can parse the binary output for the DER-encoded DH structure.
openssl dh -in testdh.pem -outform der -out testdh.der
Another option is to parse the output of the ans1parse command:
openssl asn1parse -in testdh.pem
精彩评论