[openssl-users] Seeking to understand difference in RSA key gen between X9.31 and FIPS 186-4

[Ethan Rahn]

Hey Openssl-User's,

I'm trying to understand the difference between how primes are generated in
RSA X9.31 ANSI standards ( which I don't have access to ) and FIPS 186-4 (
found here: http://csrc.nist.gov/groups/STM/cavp/documents/dss2/rsa2vs.pdf )

In the code at crypto/bn/bn_x931p.c::BN_X931_generate_prime_ex you can see
that X_p1 and X_p2 are set to be 101 bit long random numbers. The FIPS
186-4 standard specifies under Table B.1 that for a 1024 bit modulus, p1
and p2 must be greater than 100 bits. So that's fine. But for 2048 and 3072
bit modulii ( sp? ) the minimum bit length of p1 and p2 will not be met.

Granted, ANSI X9.31 was written a long time ago, so maybe they didn't cover
2048 and 3072 bit numbers at the time. The concern that I have is that this
code doesn't appear to be meeting the newest recommendations. I'm not
enough of a crypto enthusiast to understand what the consequences of this
are, but does anyone else have any insights? Is my understanding of this
even correct, in that the FIPS 186-4 standards are not being met?

( I'm also assuming here that since the NIST CAVP recommendations for RSA
link to the FIPS document that they are worth following, individual
opinions expressed on this mailing list over FIPS itself non-withstanding ).

Cheers,

Ethan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161012/79ba49f8/attachment.html>