> From: [email protected] On Behalf Of Pankracy > Sent: Saturday, 12 January, 2013 13:33
(I don't think this is a -dev question.) > How long is key_length (int) in RSA_generate_key ? > Can I put here a 1000,1001,1002 etc or > (1024*3) or other values? > Yes, but. By default (i.e. not using an engine, which may impose limits) you can generate an RSA keypair of practically any size you like. It scales cubically and on decent hardware 4096 takes a few seconds, so 16384 would take several hours and 65536 about a year. Bare (mathematical) RSA can use any number of bits but the conventional padding schemes are octet-oriented so any size that is not a multiple of 8 is effectively (a little) wasted. Practically all common data formats nowadays (that contain a key or signature or cryptogram) are also octet-oriented. As a result, implementations are not thoroughly exercised for non-octet sizes (or at all) so there may well be some greater risk of hitting a bug. It is popular but not necessary to use "binary-nice" sizes like 1024 1536 2048 2560 3072 4096 etc. OpenSSL non-engine will not *use* a key >16384 for RSA public operations (encrypt, verify) at all, and will not use one >3072 with a "large" public exponent e (>64 bits). OpenSSL can't generate with e > usually 32 bits, but this could be an issue for interoperation -- or DoS attack. Other implementations may have analagous limits but not necessarily the same. OpenSSL doesn't impose a limit on private operations, but if the matching public operation cannot be done the private operation is useless. > I use if(RSA_check_key (keypair) <= 0) with key_length 50 and I can't > get any error. This is possible? _generate_key and _check_key should work. However, RSA 50 is far too small for any security, and also too small for conventional padding schemes. Factoring passed 768 a few years ago, so I would say anything <=900 is unsafe, and <=1024 is dubious. Although technically it should be enough for some years to go to 1200 or so (1280 and 1536 being the next binary-nice values), most authorities have jumped to 2048, apparently on the principle that it's a lot of work for everybody to do new keys and certs and cert chains and trust stores etc etc, so we might as well make it last as long as practical, and 2048 is (almost always) practical. If you want to use a size like 2040 or 2000 or 1920 go ahead, but expect some people to be surprised and maybe even confused. If you use 2560 or 3072 or maybe 3000, people will just think you're more security-minded than average but not be confused. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
