DHPARAM 1 2003-07-24 0.9.9-dev OpenSSL

NAME

dhparam - DH parameter manipulation and generation

LIBRARY

libcrypto, -lcrypto

SYNOPSIS

ooppeennssssll ddhhppaarraamm [--iinnffoorrmm DDEERR||PPEEMM] [--oouuttffoorrmm DDEERR||PPEEMM] [--iinn _f_i_l_e_n_a_m_e] [--oouutt _f_i_l_e_n_a_m_e] [--ddssaappaarraamm] [--nnoooouutt] [--tteexxtt] [--CC] [--22] [--55] [--rraanndd _f_i_l_e_(_s_)] [--eennggiinnee iidd] [_n_u_m_b_i_t_s]

DESCRIPTION

This command is used to manipulate DH parameter files.

OPTIONS

--iinnffoorrmm DDEERR||PPEEMM This specifies the input format. The DDEERR option uses an ASN1 DER encoded
form compatible with the PKCS#3 DHparameter structure. The PEM form is the default format: it consists of the DDEERR format base64 encoded with additional header and footer lines.
--oouuttffoorrmm DDEERR||PPEEMM This specifies the output format, the options have the same meaning as the
--iinnffoorrmm option.
--iinn _f_i_l_e_n_a_m_e This specifies the input filename to read parameters from or standard input if
this option is not specified.
--oouutt _f_i_l_e_n_a_m_e This specifies the output filename parameters to. Standard output is used
if this option is not present. The output filename should nnoott be the same as the input filename.
--ddssaappaarraamm If this option is used, DSA rather than DH parameters are read or created;
they are converted to DH format. Otherwise, "strong" primes (such that (p-1)/2 is also prime) will be used for DH parameter generation.

DH parameter generation with the --ddssaappaarraamm option is much faster, and the recommended exponent length is shorter, which makes DH key exchange more efficient. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possible otherwise.
--22, --55 The generator to use, either 2 or 5. 2 is the default. If present then the
input file is ignored and parameters are generated instead.
--rraanndd _f_i_l_e_(_s_) a file or files containing random data used to seed the random number
generator, or an EGD socket (see _R_A_N_D___e_g_d(3)). Multiple files can be specified separated by a OS-dependent character. The separator is ;; for MS-Windows, ,, for OpenVMS, and :: for all others.
_n_u_m_b_i_t_s this option specifies that a parameter set should be generated of size
_n_u_m_b_i_t_s. It must be the last option. If not present then a value of 512 is used. If this option is present then the input file is ignored and parameters are generated instead.
--nnoooouutt this option inhibits the output of the encoded version of the parameters.
--tteexxtt this option prints out the DH parameters in human readable form.
--CC this option converts the parameters into C code. The parameters can then
be loaded by calling the ggeett__ddhh_n_u_m_b_i_t_s(()) function.
--eennggiinnee iidd specifying an engine (by it's unique iidd string) will cause rreeqq
to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.

WARNINGS

The program ddhhppaarraamm combines the functionality of the programs ddhh and ggeennddhh in previous versions of OpenSSL and SSLeay. The ddhh and ggeennddhh programs are retained for now but may have different purposes in future versions of OpenSSL.

NOTES

PEM format DH parameters use the header and footer lines:


 -----BEGIN DH PARAMETERS-----
 -----END DH PARAMETERS-----

OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42 DH.

This program manipulates DH parameters not keys.

BUGS

There should be a way to generate and manipulate DH keys.

SEE ALSO

_o_p_e_n_s_s_l___d_s_a_p_a_r_a_m(1)

HISTORY

The ddhhppaarraamm command was added in OpenSSL 0.9.5. The --ddssaappaarraamm option was added in OpenSSL 0.9.6.