[openssl-users] Generating large DH parameters
bird_112 at hotmail.com
Wed Jan 14 14:23:13 UTC 2015
Thanks for the explanation. So I guess I just got lucky with the first one. :) Do you have any kind of estimate of how long it will take to generate?
> Date: Wed, 14 Jan 2015 13:27:55 +0000
> From: matt at openssl.org
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] Generating large DH parameters
> On 14/01/15 12:35, jack seth wrote:
> > I am trying to generate a 16384 bit DH file for testing purposes. Is
> > it necessary to have a '.rnd' in existence before trying to generate
> > this file? I generated one which took 4 days to do but the computer had
> > a .rnd file. I am currently trying to generate another on a system
> > WITHOUT the .rnd file and it has been going 3 WEEKS so far. Did I just
> > get lucky with the first DH file and it really can take this long (or
> > longer) to make this file or does openssl really need the .rnd file to
> > do this?
> The purpose of the .rnd file is to seed the random number generator with
> entropy before you start. The built-in OpenSSL PRNG will attempt to seed
> itself from various different sources dependent on the platform that you
> are on, e.g. if you have a "/dev/urandom" then it will try to use it.
> Some platforms may have very restricted access to entropy sources, and
> on those platforms a .rnd file might be particularly useful. Assuming
> you are using a relatively modern desktop machine this is unlikely to be
> a problem for you.
> If the PRNG has not been seeded with sufficient entropy then it will
> fail with the "PRNG not seeded" error:
> The fact that you have not seen that error means that the PRNG believes
> it has been sufficiently seeded. The method that was used to seed the
> PRNG will not have a subsequent impact on its performance.
> In other words, the presence or otherwise of the .rnd file will not
> impact the performance once seeding is complete.
> The reason it is taking so long is that 16384 bits is GIGANTIC!
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users