[openssl-users] Generating large DH parameters

Matt Caswell matt at openssl.org
Wed Jan 14 13:27:55 UTC 2015



On 14/01/15 12:35, jack seth wrote:
> I am trying to generate a 16384 bit DH file for testing purposes.   Is
> it necessary to have a '.rnd' in existence before trying to generate
> this file?  I generated one which took 4 days to do but the computer had
> a .rnd file.  I am currently trying to generate another on a system
> WITHOUT the .rnd file and it has been going 3 WEEKS so far.  Did I just
> get lucky with the first DH file and it really can take this long (or
> longer) to make this file or does openssl really need the .rnd file to
> do this?

The purpose of the .rnd file is to seed the random number generator with
entropy before you start. The built-in OpenSSL PRNG will attempt to seed
itself from various different sources dependent on the platform that you
are on, e.g. if you have a "/dev/urandom" then it will try to use it.
Some platforms may have very restricted access to entropy sources, and
on those platforms a .rnd file might be particularly useful. Assuming
you are using a relatively modern desktop machine this is unlikely to be
a problem for you.

If the PRNG has not been seeded with sufficient entropy then it will
fail with the "PRNG not seeded" error:
https://www.openssl.org/support/faq.html#USER1

The fact that you have not seen that error means that the PRNG believes
it has been sufficiently seeded. The method that was used to seed the
PRNG will not have a subsequent impact on its performance.

In other words, the presence or otherwise of the .rnd file will not
impact the performance once seeding is complete.

The reason it is taking so long is that 16384 bits is GIGANTIC!

Matt



More information about the openssl-users mailing list