Re: Diffie algorithm in openssl: and Java

Tue, 19 Mar 2013 02:29:51 -0700 

On 19 March 2013 09:01, azhar jodatti <azhar...@gmail.com> wrote:

> And possibly relevant here, the standard Suncle JCE provider actually
> uses DSA paramgen for DH and thus imposes the DSA size restrictions
> on DH -- 512 to 1024 in steps of 64 -- although they aren't required
> by any standard I know of. I don't recall if JCE also restricts
> *existing* (received) params; I'll test when I have some time.
> I do recall you can get around this by using BouncyCastle instead.
> But just using 1024 is easy and fine.
> -->
>
> sometime I get below error "Prime size must be multiple of 64, and can only 
> range from 512 to 1024 (inclusive)"
> when i use small prime numbers.It means JCE uses DSA paramateres for DH 
> algorithm. what is openSSL equalent to this?
>
>         KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH");
>         kpg.initialize(1024);
>         keyPair = kpg.generateKeyPair();
>
>         DHParameterSpec dhSpec = ((DHPublicKey) 
> keyPair.getPublic()).getParams();
>         baseGenerator = dhSpec.getG();
>         prime = dhSpec.getP();
>         sizeInBits = dhSpec.getL();
> is this java code equalent to below c code?
>         DH_generate_parameters_ex(client,1024,DH_GENERATOR_5,NULL);
>
> see, with openSSL I have to pass DH_GENERATOR which only allowes (2 and 5) 
> but that is not required in JAVA version.It generates it own base generator.

It appears to be equivalent, although I am not familiar with the JCE
API. What I do not understand though is why you have code to generate
parameters on *both* sides of your communication. If you are going to
generate params every time (which both Dave and myself have advised
against - it is an expensive operation), you still only need to do it
on one side of the communication. So, after a  bit of googling, I
would expect to see something like this on the Java side (if the C
side generates the params):

KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH");
kpg.initialize(new DHParameterSpec(/* p value passed from C */, /* g
value passed from C */));
keyPair = kpg.generateKeyPair();

Matt
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to