DHPARAM 1 2003-07-24 0.9.9-dev OpenSSL
NAME
dhparam - DH parameter manipulation and generation
LIBRARY
libcrypto, -lcrypto
SYNOPSIS
ooppeennssssll ddhhppaarraamm
[--iinnffoorrmm DDEERR||PPEEMM]
[--oouuttffoorrmm DDEERR||PPEEMM]
[--iinn _f_i_l_e_n_a_m_e]
[--oouutt _f_i_l_e_n_a_m_e]
[--ddssaappaarraamm]
[--nnoooouutt]
[--tteexxtt]
[--CC]
[--22]
[--55]
[--rraanndd _f_i_l_e_(_s_)]
[--eennggiinnee iidd]
[_n_u_m_b_i_t_s]
DESCRIPTION
This command is used to manipulate DH parameter files.
OPTIONS
-
--iinnffoorrmm DDEERR||PPEEMM
This specifies the input format. The DDEERR option uses an ASN1 DER encoded
-
form compatible with the PKCS#3 DHparameter structure. The PEM form is the
default format: it consists of the DDEERR format base64 encoded with
additional header and footer lines.
-
--oouuttffoorrmm DDEERR||PPEEMM
This specifies the output format, the options have the same meaning as the
-
--iinnffoorrmm option.
-
--iinn _f_i_l_e_n_a_m_e
This specifies the input filename to read parameters from or standard input if
-
this option is not specified.
-
--oouutt _f_i_l_e_n_a_m_e
This specifies the output filename parameters to. Standard output is used
-
if this option is not present. The output filename should nnoott be the same
as the input filename.
-
--ddssaappaarraamm
If this option is used, DSA rather than DH parameters are read or created;
-
they are converted to DH format. Otherwise, "strong" primes (such
that (p-1)/2 is also prime) will be used for DH parameter generation.
DH parameter generation with the --ddssaappaarraamm option is much faster,
and the recommended exponent length is shorter, which makes DH key
exchange more efficient. Beware that with such DSA-style DH
parameters, a fresh DH key should be created for each use to
avoid small-subgroup attacks that may be possible otherwise.
-
--22, --55
The generator to use, either 2 or 5. 2 is the default. If present then the
-
input file is ignored and parameters are generated instead.
-
--rraanndd _f_i_l_e_(_s_)
a file or files containing random data used to seed the random number
-
generator, or an EGD socket (see _R_A_N_D___e_g_d(3)).
Multiple files can be specified separated by a OS-dependent character.
The separator is ;; for MS-Windows, ,, for OpenVMS, and :: for
all others.
-
_n_u_m_b_i_t_s
this option specifies that a parameter set should be generated of size
-
_n_u_m_b_i_t_s. It must be the last option. If not present then a value of 512
is used. If this option is present then the input file is ignored and
parameters are generated instead.
-
--nnoooouutt
this option inhibits the output of the encoded version of the parameters.
-
-
--tteexxtt
this option prints out the DH parameters in human readable form.
-
-
--CC
this option converts the parameters into C code. The parameters can then
-
be loaded by calling the ggeett__ddhh_n_u_m_b_i_t_s(()) function.
-
--eennggiinnee iidd
specifying an engine (by it's unique iidd string) will cause rreeqq
-
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
WARNINGS
The program ddhhppaarraamm combines the functionality of the programs ddhh and
ggeennddhh in previous versions of OpenSSL and SSLeay. The ddhh and ggeennddhh
programs are retained for now but may have different purposes in future
versions of OpenSSL.
NOTES
PEM format DH parameters use the header and footer lines:
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42
DH.
This program manipulates DH parameters not keys.
BUGS
There should be a way to generate and manipulate DH keys.
SEE ALSO
_o_p_e_n_s_s_l___d_s_a_p_a_r_a_m(1)
HISTORY
The ddhhppaarraamm command was added in OpenSSL 0.9.5.
The --ddssaappaarraamm option was added in OpenSSL 0.9.6.