196 The p member is a prime number that is randomly generated. Initially, the proposed standard fixed the length of the prime at 512 bits. Due to much criticism, this was later changed to allow a range between 512 and 1,024 bits. The length of the prime must be a multiple of 64 bits, however. OpenSSL does not enforce the 1,024-bit upper bound, but its not a good idea to use a prime larger than 1,024 bits—many programs may not be able to use the keys that result from such a large prime. The q member is a prime factor of p-1 . The value of q must also be exactly 160 bits in length. The g member is the result of a mathematical expression involving a randomly chosen integer, as well as p and q . Using the three public parameters p , q , and g , the public and private keys can be computed. Public parameters used to compute the keys are required to generate or verify a digital signature. The parameters must therefore be exchanged along with the public key in order for the public key to be useful. Of course, the private key should never be distributed.

8.3.2 Generating Parameters and Keys

Like Diffie-Hellman, DSA requires generation of parameters before keys can be generated. Once a set of parameters is generated, many keys can be created from it. This does not mean that only people with keys created from the same parameters can interoperate; it simply means that in order to do so, all of the parameter values must be included as part of the public key. The interface for generating DSA parameters is similar to the interface for generating Diffie- Hellman parameters. The function DSA_generate_parameters will create a new DSA object that is initialized with fresh values for p , q , and g . Generation of DSA parameters is more complex than Diffie-Hellman parameter generation, although it is typically much faster, especially for large key lengths. DSA DSA_generate_parametersint bits, unsigned char seed, int seed_len, int counter_ret, unsigned long h_ret, void callbackint, int, void , void cb_arg; bits The size of the prime to be generated, specified in terms of bits. Remember that the maximum allowed by the standard is 1,024 bits. seed An optional buffer containing data that gives the function a starting point to begin looking for primes. This argument can be specified as NULL , and generally should be. seed_len The number of bytes contained in the seed buffer. If the seed buffer is specified as NULL , this argument must be specified as 0. counter_ret An optional argument that will receive the number of iterations the function went through to find primes that satisfy the requirements for p and q . This argument may be specified as NULL . h_ret 197 An optional argument that will receive the number of iterations the function went through to find a value for h , which is the random number used to calculate g . This argument may be specified as NULL . callback A pointer to a function that will be called during the prime generation process to report the status of the prime generation. The callback is the same as the callback used by BN_generate_prime , which we discussed in Chapter 4 . This argument may be specified as NULL if no callbacks are desired. cb_arg A pointer to application-specific data. OpenSSL does not use this value for anything itself. It is passed as an argument to the specified callback function. Once parameters have been generated, key pairs can be generated. The function DSA_generate_key is provided by OpenSSL for doing just that. It requires as its only argument a DSA object that has the parameters p , q , and g filled in. If the keys are generated successfully, the return from the function will be nonzero. If an error occurs, the return will be zero. The generated public and private keys are stored in the supplied DSA objects pub_key and priv_key members, respectively. Once the keys are computed, they can be used for creating digital signatures and verifying them. The DSA object containing the parameters and keys must remain in memory to perform these operations, of course, but when the DSA object is no longer needed, it should be destroyed by calling DSA_free and passing the DSA object as its only argument.

8.3.3 Signing and Verifying