None of that FAQ applies to the DH exponents, though.
On Wed, Dec 08, 2004 at 03:28:25PM -0500, Jim Schneider wrote:
> This is probably another one for the FAQ:
>
> Setting the highest bit of a random string guarantees that it's N bits long.
>
> Technically, a bit string with the highest order several bits set to zero is
> also N bits long, but not mathematically. If you are generating a pair of N
> bit primes to use for keying operations, you want to make sure that their
> product is as difficult to factor as possible. If the top-most several bits
> are zero, the effective key length is reduced.
>
> On Wednesday 08 December 2004 14:40, David Martin wrote:
> > Hi all,
> >
> > Looking through openssl's DH code (0.9.7d, see below),
> > when choosing the secret exponent, openssl chooses a
> > random number where the most significant bit of the
> > exponent is always set to be 1 (that's what top=0 does
> > as the 3rd argument to BN_rand). I can't figure out
> > any security justification for it. PKCS #3 also
> > indicates that a "central authority" may stipulate that
> > high bits be set on DH exponents-- but I can't find any
> > explanation there either. Can anyone explain what I'm
> > missing?
> >
> > if (generate_new_key)
> > {
> > l = dh->length ? dh->length : BN_num_bits(dh->p)-1;
> > /* secret exponent length */
> > if (!BN_rand(priv_key, l, 0, 0)) goto err;
> > }
> >
> > Thanks,
> > David
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > Development Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
