None of that FAQ applies to the DH exponents, though.
On Wed, Dec 08, 2004 at 03:28:25PM -0500, Jim Schneider wrote: > This is probably another one for the FAQ: > > Setting the highest bit of a random string guarantees that it's N bits long. > > Technically, a bit string with the highest order several bits set to zero is > also N bits long, but not mathematically. If you are generating a pair of N > bit primes to use for keying operations, you want to make sure that their > product is as difficult to factor as possible. If the top-most several bits > are zero, the effective key length is reduced. > > On Wednesday 08 December 2004 14:40, David Martin wrote: > > Hi all, > > > > Looking through openssl's DH code (0.9.7d, see below), > > when choosing the secret exponent, openssl chooses a > > random number where the most significant bit of the > > exponent is always set to be 1 (that's what top=0 does > > as the 3rd argument to BN_rand). I can't figure out > > any security justification for it. PKCS #3 also > > indicates that a "central authority" may stipulate that > > high bits be set on DH exponents-- but I can't find any > > explanation there either. Can anyone explain what I'm > > missing? > > > > if (generate_new_key) > > { > > l = dh->length ? dh->length : BN_num_bits(dh->p)-1; > > /* secret exponent length */ > > if (!BN_rand(priv_key, l, 0, 0)) goto err; > > } > > > > Thanks, > > David > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > Development Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]