Hi,
I'm doing some small development (crytpo protocol, similiar to ssl but by far not that complex) with the openssl/libcrypto routines. Here is a short list of comments and questions could not been answered using the the manual pages or the sources (or google :). - What is the risk in using the default OpenSSL DH parameters? What is the benefit in generating them? (generating 4096b DH parameters on a 1.2Ghz box takes some hours/days :/). Is a /dev/urandom (linux 2.4) source to seed the OpenSSL PRNG fine? (seen it in many documentations, still dont feel very comfortable about it). - The DH shared secret is to long for most symmetric ciphers. I'm using EVP_BytesToKey() to generate suiteable key + iv for the symmetric cipher. - Both parties should use a different key + iv for both directions. Eve could otherwise figure out that both parties start the communication with the same words (same crypted packets => both parties say the same). I simply invert the shared shared secret before it is passed to EVP_BytesToKey() to generate two different key + iv pairs (one pair from the original shared secret, the other pair from the inverted shared secret). - I use the MD5-sum of the shared secret as HMAC key. The HMAC key is published _after_ the communication finished. Any problems with this? - Any way to determine how many % of the DH parameter generation has finsihed? (Pretty hard to predict when a prime 'will be found' but dont blame me for asking :) Thanks for brainstorming with me about these rather simple questions :) skyper -- PGP: dig @segfault.net skyper axfr|grep TX|cut -f2 -d\"|sort|cut -f2 -d\; ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
