RSA Security 5.2.2 manual Adhparamgenparams

Performing Diffie-Hellman Key Agreement

Step 2: Setting The Algorithm Object

There is only one AI for generating Diffie-Hellman parameters: AI_DHParamGen. The format of info supplied to B_SetAlgorithmInfo is a pointer to the following struct:

} A_DH_PARAM_GEN_PARAMS;

Crypto-C will generate the prime, but you must decide how big that prime will be. As with the RSA modulus, the number of prime bits can be anywhere from 256 to 2048. Larger numbers provide greater security, but operations with larger numbers are much slower. RSA Security recommends 768. To save time, because this is for illustrative purposes only, this example will use 512.

The exponent is the private value, generated randomly by each party during Phase 1. The value exponentBits is the length of that private value. The Diffie-Hellman algorithm allows the parameter generator (the central authority) to optionally determine the length of the private value. Crypto-C exercises that option and requires the length.

The exponent length should be at least twice the general security level of the system. For instance, if 80-bit security against brute-force attack is desired, the exponent should be 160 bits long. (This is how DSS does it.) The prime length should be chosen to have a comparable level of difficulty against the best discrete logarithm algorithms. The relationship between the sizes changes from time to time; a 1024-bit prime would not be too far off from the 80-bit level.

The closer the exponent length is to the prime length, the longer it takes to generate the Diffie-Hellman parameters, because Crypto-C generates a prime p and a prime q where p-1is a multiple of q, and the length of q is the same as the desired length of the exponent. If the lengths are very close it will take a long time to find an appropriately related pair of primes, because for a given q there won't be all that many possible p’s. For example: for a one-bit difference between the prime and exponent lengths, p must equal 2q+1, and it's unlikely that q and 2q+1 are simultaneously prime.

The Chapter 2 entry for AI_DHParamGen notes that the “exponentBits must be less than primeBits.” For this example, choose 512 prime bits and 504 exponent bits: