Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Oct 2015 22:16:19 -0600
From: Kurt Seifried <>
To: oss-security <>
Cc: Seth Arnold <>
Subject: Re: Prime example of a can of worms

On Mon, Oct 19, 2015 at 3:40 PM, Daniel Kahn Gillmor <>
> On the flip side, saying "use only strong (>=2048bit today in 2015?),
> well-known, well-structured, publicly-vetted groups" is very simple
> guidance: clear and easy to follow.
> A move to well-known, large safe primes seems simpler/saner than trying
> to work with an environment where peers are generating new primes which
> may or may not be well-formed.  (similarly, we're converging on a world
> where there are a few trusted, well-vetted, well-optimized DH groups for
> elliptic curve DH, because encouraging arbitrary ECDH groups ends up
> being sketchier for everyone)
>       --dkg

So it occurs to me that we have no corpus of data on Diffie Helman primes.
With this in mind I would like to create one. Openssl command line can
easily create them, using either the 2 (default) or 5 generator (explained

For example the following code:

for i in `seq 1 100`;
    openssl dhparam 2048 -text >> $i

will generate 100 2048 bit primes. If you can ideally simply commit the
files to the following github repo:

simply create a directory in the root with your name/whatever you want to
call it (nothing rude please) and have a "2048" directory for the 2048 bit
primes and a "4096" directory for the 4096 bit primes I would appreciate
it. If you use a tool other than OpenSSL command line to generate the
primes please make a note of it (especially any command line options used)
in a .txt file in the root of your data directory. My goal is to collect a
few million primes of each size so we have some real data to work with.

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact:

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ