Re: [openssl-users] RSA_generate_key fails in FIPS Mode with key size 2048
On Wed, Feb 24, 2016, Neptune wrote: > Using: > FIPS Object Module 2.0.9 > OpenSSL 1.0.1l > > When I call RSA_generate_key: > if (rsa = RSA_generate_key(keySize, RSA_F4, NULL, NULL)) > > I get the following error string: > (OPENSSL error:04081078:rsa routines:RSA_BUILTIN_KEYGEN:key size too small) > > As I understand, RSA Key size must be 2048 or greater in FIPS mode, so I > printed out the key size just before calling the above function: > > KEYSIZE = 2048. > > What else could cause this function to report a key size too small if it is > 2048 bits? Is 2048 still FIPS-compliant? > BTW: this works if FIPS mode is off. > That isn't the error I'd expect if it was rejecting the key size straight away. Do you have a small program that can reproduce this? What happens if you do: OPENSSL_FIPS=1 openssl genrsa 2048 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] RSA_generate_key fails in FIPS Mode with key size 2048
Using: FIPS Object Module 2.0.9 OpenSSL 1.0.1l When I call RSA_generate_key: if (rsa = RSA_generate_key(keySize, RSA_F4, NULL, NULL)) I get the following error string: (OPENSSL error:04081078:rsa routines:RSA_BUILTIN_KEYGEN:key size too small) As I understand, RSA Key size must be 2048 or greater in FIPS mode, so I printed out the key size just before calling the above function: KEYSIZE = 2048. What else could cause this function to report a key size too small if it is 2048 bits? Is 2048 still FIPS-compliant? BTW: this works if FIPS mode is off. Thanks! -- View this message in context: http://openssl.6102.n7.nabble.com/RSA-generate-key-fails-in-FIPS-Mode-with-key-size-2048-tp63989.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
RE: RSA_generate_key function
Hi David, 1. I am not sure what you mean by replacing RSA_generate_key with my own function, because I would like it to go through the process of creating prime numbers, and modulus, etc. Basically I want the RSA_generate_key to generate the same public key at startup each time my process runs. 2. You say I could do this with writing my own PRNG? Do you have an example of this? 3. I went into the RSA_generate_key code and I saw during the prime number calculation that the function bnrand() actually uses the system time as a seed. If this was the case, how could I ever get RSA_generate_key to return the same public key? -Original Message- From: David Schwartz [mailto:dav...@webmaster.com] Sent: Monday, January 31, 2011 7:37 PM To: openssl-users@openssl.org Cc: Ashwin Chandra Subject: Re: RSA_generate_key function On 1/31/2011 5:37 PM, Ashwin Chandra wrote: > I would like to call this function to generate the same public/private > key everytime. > > I thought all I had to do was create the same seed using RAND_seed > each time, however I still keep getting different key pairs. > > Is there any way to have RSA_generate_key generate the same > public/private key each time? (I know this doesn't make sense security > wise, but the work I have to do requires it). > Replace RSA_generate_key with your own function that returns the desired key. Using the same seed each time won't work because intervening operations can leave the PRNG in a different state. You could use your own PRNG to replace OpenSSL's and then put it into a particular state prior to calling RSA_generate_key. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA_generate_key function
On 1/31/2011 5:37 PM, Ashwin Chandra wrote: I would like to call this function to generate the same public/private key everytime. I thought all I had to do was create the same seed using RAND_seed each time, however I still keep getting different key pairs. Is there any way to have RSA_generate_key generate the same public/private key each time? (I know this doesn’t make sense security wise, but the work I have to do requires it). Replace RSA_generate_key with your own function that returns the desired key. Using the same seed each time won't work because intervening operations can leave the PRNG in a different state. You could use your own PRNG to replace OpenSSL's and then put it into a particular state prior to calling RSA_generate_key. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RSA_generate_key function
I would like to call this function to generate the same public/private key everytime. I thought all I had to do was create the same seed using RAND_seed each time, however I still keep getting different key pairs. Is there any way to have RSA_generate_key generate the same public/private key each time? (I know this doesn't make sense security wise, but the work I have to do requires it).
extract private/public key from RSA_generate_key
Hi , Someone could y tell me how can I extract public and private keys from RSA structure returned by the function "RSA_generate_key"? I'm using openssl in my c simulation work and I must exchange public keys between simulated server and client, the encrypt and decrypt the message.. I cannot exchange the whole RSA structure? Thanks, kris
Re: RSA_generate_key
On Wed, Aug 11, 2010, krishnamurthy santhanam wrote: > > I am able to generate key. how to do seed PRNG before generating key? > The PRNG is seeded automatically using platform specific entropy. If it wasn't they key would not be generated and you'd get a PRNG not seeded error. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA_generate_key
Hi,
I am able to generate key. how to do seed PRNG before generating key?
is it enough to add rand_load_file("dev/random",1024) before generating key?
it would be helpful if u explain with one example?
#include
#include
#include
int main()
{
char *plain="Sample text"; //Sample text (plain text) to Encrypt/Decrypt
char *ciphertext;
printf("%s\n",plain);
// Generate RSA key
RSA *rsa1= RSA_generate_key(1024,65537,NULL,NULL);
// RSA_size() will determine how much memory must be allocated for an
if(rsa1==NULL) {
printf("NO RSA!\n\n");
ERR_load_crypto_strings();
ERR_print_errors_fp(stdout);
}
else
{
printf("RSA OK!\n");
}
ciphertext = (char *)malloc(RSA_size(rsa1));
printf("rsa key = %d\n",rsa1);
printf("RSA size = %d\n",RSA_size(rsa1));
RSA_free(rsa1);
}
Thanks
Kris
Re: RSA_generate_key
Hi,
I think you are confusing RSA with some sort of symmetric algorithm. RSA
is a public key algorithm that involves two parts : a public part
represented by the modulus and the public exponents, and the private part
which has two possible representations (one is modulus+private exponent
and the other is called CRT). The RSA size is actually the size of the
modulus.
I encourage you to read more about RSA before trying to use OpenSSL
resources for this.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
> yes ..i am not able to find the 128 byte RSA key.. how should get
> those information?
>
> kris
>
> On Tue, Aug 3, 2010 at 1:15 AM, Michael S. Zick
> wrote:
>
>> On Mon August 2 2010, krishnamurthy santhanam wrote:
>> > Hi,
>> >
>> > i am new to OpenSSL..i have to use RSA_generate key function to
>> generate
>> > key..below is the program and outcome..is this the way to generate
>> key?
>> >
>> > #include
>> > #include
>> > #include
>> > int main()
>> > {
>> > char *plain="Sample text"; //Sample text (plain text) to
>> Encrypt/Decrypt
>> > char *ciphertext;
>> > printf("%s\n",plain);
>> > // Generate RSA key
>> > RSA *rsa1= RSA_generate_key(1024,65537,NULL,NULL);
>> > // RSA_size() will determine how much memory must be allocated for an
>> > if(rsa1==NULL) {
>> > printf("NO RSA!\n\n");
>> > ERR_load_crypto_strings();
>> > ERR_print_errors_fp(stdout);
>> > }
>> > else
>> > {
>> > printf("RSA OK!\n");
>> > }
>> > ciphertext = (char *)malloc(RSA_size(rsa1));
>> > printf("rsa key = %d\n",rsa1);
>> > printf("RSA size = %d\n",RSA_size(rsa1));
>> > RSA_free(rsa1);
>> > }
>> >
>> > $ gcc -o rsa1 rsa1.c -lcrypto
>> >
>> > Output
>> > -
>> > $ ./rsa1
>> > Sample text
>> > RSA OK!
>> > rsa key = 473608208
>>
>> > RSA size = 128
>> >
>>
>> Times 8 bits per octet == 1024 bits as requested.
>>
>> >
>> > Please correct me if i am missing anything ..
>> >
>>
>> Does your %d recognize a number that is 128 bytes long?
>>
>> Mike
>> >
>> > kris
>> >
>>
>>
>> __
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing Listopenssl-users@openssl.org
>> Automated List Manager majord...@openssl.org
>>
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: RSA_generate_key
RSA is a structure containing the public modulus, private modulus, exponent
etc. Your rsa1 variable is a pointer to this structure. Why would you want
to print an address using %d?
-Sandeep
On Tue, Aug 3, 2010 at 9:40 AM, krishnamurthy santhanam <
krishnamurth...@gmail.com> wrote:
> yes ..i am not able to find the 128 byte RSA key.. how should get
> those information?
>
> kris
>
> On Tue, Aug 3, 2010 at 1:15 AM, Michael S. Zick wrote:
>
>> On Mon August 2 2010, krishnamurthy santhanam wrote:
>> > Hi,
>> >
>> > i am new to OpenSSL..i have to use RSA_generate key function to generate
>> > key..below is the program and outcome..is this the way to generate key?
>> >
>> > #include
>> > #include
>> > #include
>> > int main()
>> > {
>> > char *plain="Sample text"; //Sample text (plain text) to Encrypt/Decrypt
>> > char *ciphertext;
>> > printf("%s\n",plain);
>> > // Generate RSA key
>> > RSA *rsa1= RSA_generate_key(1024,65537,NULL,NULL);
>> > // RSA_size() will determine how much memory must be allocated for an
>> > if(rsa1==NULL) {
>> > printf("NO RSA!\n\n");
>> > ERR_load_crypto_strings();
>> > ERR_print_errors_fp(stdout);
>> > }
>> > else
>> > {
>> > printf("RSA OK!\n");
>> > }
>> > ciphertext = (char *)malloc(RSA_size(rsa1));
>> > printf("rsa key = %d\n",rsa1);
>> > printf("RSA size = %d\n",RSA_size(rsa1));
>> > RSA_free(rsa1);
>> > }
>> >
>> > $ gcc -o rsa1 rsa1.c -lcrypto
>> >
>> > Output
>> > -
>> > $ ./rsa1
>> > Sample text
>> > RSA OK!
>> > rsa key = 473608208
>>
>> > RSA size = 128
>> >
>>
>> Times 8 bits per octet == 1024 bits as requested.
>>
>> >
>> > Please correct me if i am missing anything ..
>> >
>>
>> Does your %d recognize a number that is 128 bytes long?
>>
>> Mike
>> >
>> > kris
>> >
>>
>>
>> __
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing Listopenssl-users@openssl.org
>> Automated List Manager majord...@openssl.org
>>
>
>
Re: RSA_generate_key
yes ..i am not able to find the 128 byte RSA key.. how should get
those information?
kris
On Tue, Aug 3, 2010 at 1:15 AM, Michael S. Zick wrote:
> On Mon August 2 2010, krishnamurthy santhanam wrote:
> > Hi,
> >
> > i am new to OpenSSL..i have to use RSA_generate key function to generate
> > key..below is the program and outcome..is this the way to generate key?
> >
> > #include
> > #include
> > #include
> > int main()
> > {
> > char *plain="Sample text"; //Sample text (plain text) to Encrypt/Decrypt
> > char *ciphertext;
> > printf("%s\n",plain);
> > // Generate RSA key
> > RSA *rsa1= RSA_generate_key(1024,65537,NULL,NULL);
> > // RSA_size() will determine how much memory must be allocated for an
> > if(rsa1==NULL) {
> > printf("NO RSA!\n\n");
> > ERR_load_crypto_strings();
> > ERR_print_errors_fp(stdout);
> > }
> > else
> > {
> > printf("RSA OK!\n");
> > }
> > ciphertext = (char *)malloc(RSA_size(rsa1));
> > printf("rsa key = %d\n",rsa1);
> > printf("RSA size = %d\n",RSA_size(rsa1));
> > RSA_free(rsa1);
> > }
> >
> > $ gcc -o rsa1 rsa1.c -lcrypto
> >
> > Output
> > -
> > $ ./rsa1
> > Sample text
> > RSA OK!
> > rsa key = 473608208
>
> > RSA size = 128
> >
>
> Times 8 bits per octet == 1024 bits as requested.
>
> >
> > Please correct me if i am missing anything ..
> >
>
> Does your %d recognize a number that is 128 bytes long?
>
> Mike
> >
> > kris
> >
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
Re: RSA_generate_key
On Mon August 2 2010, krishnamurthy santhanam wrote:
> Hi,
>
> i am new to OpenSSL..i have to use RSA_generate key function to generate
> key..below is the program and outcome..is this the way to generate key?
>
> #include
> #include
> #include
> int main()
> {
> char *plain="Sample text"; //Sample text (plain text) to Encrypt/Decrypt
> char *ciphertext;
> printf("%s\n",plain);
> // Generate RSA key
> RSA *rsa1= RSA_generate_key(1024,65537,NULL,NULL);
> // RSA_size() will determine how much memory must be allocated for an
> if(rsa1==NULL) {
> printf("NO RSA!\n\n");
> ERR_load_crypto_strings();
> ERR_print_errors_fp(stdout);
> }
> else
> {
> printf("RSA OK!\n");
> }
> ciphertext = (char *)malloc(RSA_size(rsa1));
> printf("rsa key = %d\n",rsa1);
> printf("RSA size = %d\n",RSA_size(rsa1));
> RSA_free(rsa1);
> }
>
> $ gcc -o rsa1 rsa1.c -lcrypto
>
> Output
> -
> $ ./rsa1
> Sample text
> RSA OK!
> rsa key = 473608208
> RSA size = 128
>
Times 8 bits per octet == 1024 bits as requested.
>
> Please correct me if i am missing anything ..
>
Does your %d recognize a number that is 128 bytes long?
Mike
>
> kris
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
RSA_generate_key
Hi,
i am new to OpenSSL..i have to use RSA_generate key function to generate
key..below is the program and outcome..is this the way to generate key?
#include
#include
#include
int main()
{
char *plain="Sample text"; //Sample text (plain text) to Encrypt/Decrypt
char *ciphertext;
printf("%s\n",plain);
// Generate RSA key
RSA *rsa1= RSA_generate_key(1024,65537,NULL,NULL);
// RSA_size() will determine how much memory must be allocated for an
if(rsa1==NULL) {
printf("NO RSA!\n\n");
ERR_load_crypto_strings();
ERR_print_errors_fp(stdout);
}
else
{
printf("RSA OK!\n");
}
ciphertext = (char *)malloc(RSA_size(rsa1));
printf("rsa key = %d\n",rsa1);
printf("RSA size = %d\n",RSA_size(rsa1));
RSA_free(rsa1);
}
$ gcc -o rsa1 rsa1.c -lcrypto
Output
-
$ ./rsa1
Sample text
RSA OK!
rsa key = 473608208
RSA size = 128
Please correct me if i am missing anything ..
kris
[EMAIL PROTECTED]: 0.9.8a: DSA_generate_parameters & RSA_generate_key not in libcrypto]
Forwarded to respective mailing lists Regards, Lutz - Forwarded message from Thomas Schulz <[EMAIL PROTECTED]> - X-Original-To: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Date: Wed, 12 Apr 2006 14:42:27 -0400 (EDT) From: Thomas Schulz <[EMAIL PROTECTED]> To: openssl-bugs@openssl.org Subject: 0.9.8a: DSA_generate_parameters & RSA_generate_key not in libcrypto X-Virus-Scanned: by amavisd 0.1 X-Virus-Scanned: by amavisd 0.1 I am not sure if this is a bug or something that was never defined to work. I tried to build openssh-4.3p2 against openssl-0.9.8a. It died with DSA_generate_parameters and RSA_generate_key as undefined symbols. I tried again using openssl-0.9.7i and openssh-4.3p2 built without any problem. The exact error is as follows: cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/opt/local/lib -R/opt/local/lib -L/opt/local/lib -R/opt/local/lib -lssh -lopenbsd-compat -lresolv -lcrypto -lrt -lz -lsocket -lnsl Undefined first referenced symbol in file DSA_generate_parameters ./libssh.a(key.o) RSA_generate_key./libssh.a(key.o) ld: fatal: Symbol referencing errors. No output written to ssh *** Error code 1 Tom schulz Applied Dynamics Intl. [EMAIL PROTECTED] - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: RSA_generate_key: n/e/d and strange keysizes <= PLEASE IGNORE THAT MESSAGE
Please ignore that message: I accidently linked against the OpenSSL library
while using libeay32.dll from the MKS toolkit :-/
-Oorspronkelijk bericht-
Van: Heusden van, FJJ (Folkert)
Verzonden: dinsdag 11 mei 2004 10:49
Aan: '[EMAIL PROTECTED]'
Onderwerp: RSA_generate_key: n/e/d and strange keysizes
Hi,
I'm trying to create an RSA keypair with the RSA_generate_key function.
After seeding the PRNG with some random values, I call RSA_generate_key this way:
RSA *pRsa = RSA_generate_key(
1024, // key length
257, // exponent
progress, // shows progress
NULL // given to the progresscallback function
);
After this has completed, I display its output:
printf("n size: %d (bits)\n", BN_num_bits(pRsa -> n));
printf("e size: %d (bits)\n", BN_num_bits(pRsa -> e));
printf("d size: %d (bits)\n", BN_num_bits(pRsa -> d));
I would then expect the output for 'n' and 'd' to be 1024 and 'e' to be 9, but
in reality 'n' is 9 bits, 'e' is 1024 bits and 'd' is 512(!) bits!
So now my questions are:
- for openssl, what is the public and what is the secret key? I would expect
n to be the public and d the secret key but due to the fact that n contains the
exponent after RSA_generate_key() returns I'm no longer sure
- why is it that 'd' is only 512 bits? I've set the key length to 1024 bits so my
guess is that both the public and the secret part of the RSA keypair is 1024
bits, right?
Thank you,
Folkert van Heusden.
---
Folkert van Heusden
Rabobank IBS, GEA ontwikkelingsteam
Locatie: UHG526, postadres: UHG439
Tel: +31 30 2161262
Fax: +31 30 2161922
e-mail: [EMAIL PROTECTED]
---
Yacht [ www.yachtgroup.com ]
Tel:+31 800 9990990
e-mail: [EMAIL PROTECTED]
---
Testcentrum Gouda [ www.testcentrumgouda.nl ]
e-mail: [EMAIL PROTECTED]
---
Prive [ www.vanheusden.com ]
GSM:+31 6 41278122
Microsoft Netmeeting: keetweej.vanheusden.com
e-mail: [EMAIL PROTECTED]
---
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en
de afzender direct te informeren door het bericht te retourneren.
The information contained in this message may be confidential
and is intended to be exclusively for the addressee. Should you
receive this message unintentionally, please do not use the contents
herein and notify the sender immediately by return e-mail.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RSA_generate_key: n/e/d and strange keysizes
Hi,
I'm trying to create an RSA keypair with the RSA_generate_key function.
After seeding the PRNG with some random values, I call RSA_generate_key this way:
RSA *pRsa = RSA_generate_key(
1024, // key length
257, // exponent
progress, // shows progress
NULL // given to the progresscallback function
);
After this has completed, I display its output:
printf("n size: %d (bits)\n", BN_num_bits(pRsa -> n));
printf("e size: %d (bits)\n", BN_num_bits(pRsa -> e));
printf("d size: %d (bits)\n", BN_num_bits(pRsa -> d));
I would then expect the output for 'n' and 'd' to be 1024 and 'e' to be 9, but
in reality 'n' is 9 bits, 'e' is 1024 bits and 'd' is 512(!) bits!
So now my questions are:
- for openssl, what is the public and what is the secret key? I would expect
n to be the public and d the secret key but due to the fact that n contains the
exponent after RSA_generate_key() returns I'm no longer sure
- why is it that 'd' is only 512 bits? I've set the key length to 1024 bits so my
guess is that both the public and the secret part of the RSA keypair is 1024
bits, right?
Thank you,
Folkert van Heusden.
---
Folkert van Heusden
Rabobank IBS, GEA ontwikkelingsteam
Locatie: UHG526, postadres: UHG439
Tel: +31 30 2161262
Fax: +31 30 2161922
e-mail: [EMAIL PROTECTED]
---
Yacht [ www.yachtgroup.com ]
Tel:+31 800 9990990
e-mail: [EMAIL PROTECTED]
---
Testcentrum Gouda [ www.testcentrumgouda.nl ]
e-mail: [EMAIL PROTECTED]
---
Prive [ www.vanheusden.com ]
GSM:+31 6 41278122
Microsoft Netmeeting: keetweej.vanheusden.com
e-mail: [EMAIL PROTECTED]
---
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en
de afzender direct te informeren door het bericht te retourneren.
The information contained in this message may be confidential
and is intended to be exclusively for the addressee. Should you
receive this message unintentionally, please do not use the contents
herein and notify the sender immediately by return e-mail.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
