1IPSEC_RSASIGKEY(8) IPSEC_RSASIGKEY(8)
2
6 ipsec rsasigkey - generate RSA signature key
7
9 ipsec rsasigkey [--verbose] [--random filename] [--rounds nr]
10 [--hostname hostname] [--noopt] nbits
11 ipsec rsasigkey [--verbose] [--hostname hostname] [--noopt]
13 [--oldkey filename]
14
17 Rsasigkey generates an RSA public/private key pair, suitable for digi‐
18 tal signatures, of (exactly) nbits bits (that is, two primes each of
19 exactly nbits/2 bits, and related numbers) and emits it on standard
20 output as ASCII (mostly hex) data. nbits must be a multiple of 16.
21 The public exponent is forced to the value 3, which has important speed
24 advantages for signature checking. Beware that the resulting keys have
25 known weaknesses as encryption keys and should not be used for that
26 purpose.
27 The --verbose option makesrsasigkey give a running commentary on stan‐
30 dard error. By default, it works in silence until it is ready to gener‐
31 ate output.
32 The --random option specifies a source for random bits. The default is
35 /dev/random (see random(4)). Normally, rsasigkey reads exactly nbits
36 random bits from the source; in extremely-rare circumstances it may
37 need more. Under Linux with hardware random support, the special device
38 /dev/hw_random is created. However, the driver does not guarantee FIPS
39 compliant random, and some hardware is so broken that it return ex‐
40 tremely non-random data. Therefor /dev/hw_random should never be used
41 with the --random option. Instead, one should run the rngd(8) daemon to
42 funnel randomness from /dev/hw_random into /dev/random.
43 The --rounds option specifies the number of rounds to be done by the
46 pz_probab_prime_p probabilistic primality checker. The default, 30, is
47 fairly rigorous and should not normally have to be overridden.
48 The --hostname option specifies what host name to use in the first line
51 of the output (see below); the default is what gethostname(2) returns.
52 The --hostname option suppresses an optimization of the private key (to
55 be precise, setting of the decryption exponent to lcm(p-1,q-1) rather
56 than (p-1)*(q-1)) which speeds up operations on it slightly but can
57 cause it to flunk a validity check in old RSA implementations (notably,
58 obsolete versions of ipsec_pluto(8)
59 --oldkey option specifies that rather than generate a new key,
62 rsasigkey should read an old key from the file (the name '-' means
63 'standard input') and use that to generate its output. Input lines
64 which do not look like rsasigkey output are silently ignored. This per‐
65 mits updating old keys to the current format.
66 The output format looks like this (with long numbers trimmed down for
69 clarity):
70 # RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000
74 # for signatures only, UNSAFE FOR ENCRYPTION
75 #pubkey=0sAQOF8tZ2NZt...Y1P+buFuFn/
76 Modulus: 0xcc2a86fcf440...cf1011abb82d1
77 PublicExponent: 0x03
78 # everything after this point is secret
79 PrivateExponent: 0x881c59fdf8...ab05c8c77d23
80 Prime1: 0xf49fd1f779...46504c7bf3
81 Prime2: 0xd5a9108453...321d43cb2b
82 Exponent1: 0xa31536a4fb...536d98adda7f7
83 Exponent2: 0x8e70b5ad8d...9142168d7dcc7
84 Coefficient: 0xafb761d001...0c13e98d98
85 The first (comment) line, indicating the nature and date of the key,
88 and giving a host name, is used by ipsec_showhostkey(8) when generating
89 some forms of key output.
90 The commented-out pubkey= line contains the public key, the public ex‐
93 ponent and the modulus combined in approximately RFC 2537 format (the
94 one deviation is that the combined value is given with a 0s prefix,
95 rather than in unadorned base-64), suitable for use in the ipsec.conf
96 file.
97 The Modulus, PublicExponent and PrivateExponent lines give the basic
100 signing and verification data.
101 The Prime1 and Prime2 lines give the primes themselves (aka p and q),
104 largest first. The Exponent1 and Exponent2 lines give the private expo‐
105 nent mod p-1 and q-1 respectively. The Coefficient line gives the Chi‐
106 nese Remainder Theorem coefficient, which is the inverse of q, mod p.
107 These additional numbers (which must all be kept as secret as the pri‐
108 vate exponent) are precomputed aids to rapid signature generation.
109 No attempt is made to break long lines.
112 The US patent on the RSA algorithm expired 20 Sept 2000.
115
118 ipsec rsasigkey --verbose 2192 >mykey.txt
119 generates a 2192-bit signature key and puts it in the file
120 mykey.txt, with running commentary on standard error. The file
121 contents can be inserted verbatim into a suitable entry in the
122 ipsec.secrets file (see ipsec_secrets(5)), and the public key
123 can then be extracted and edited into the ipsec.conf (see
124 ipsec_showhostkey(8)).
125 ipsec rsasigkey --verbose --oldkey oldie >latest.txt
128 takes the old signature key from file oldie and puts a version
129 in the current format into the file latest, with running commen‐
130 tary on standard error.
131
134 /dev/random, /dev/urandom
135
138 random(4), rngd(8), ipsec_showhostkey(8), Applied Cryptography, 2nd.
139 ed., by Bruce Schneier, Wiley 1996, RFCs 2537, 2313, GNU MP, the GNU
140 multiple precision arithmetic library, edition 2.0.2, by Torbj Granlund
141
144 Written for the Linux FreeS/WAN project <http://www.freeswan.org:
145 http://www.freeswan.org> by Henry Spencer.
146
149 There is an internal limit on nbits, currently 20000.
150 rsasigkey's run time is difficult to predict, since /dev/random output‐
153 can be arbitrarily delayed if the systemâs entropy pool is low on
154 randomness, and the time taken by the search for primes is also some‐
155 what unpredictable. A reasonably typical time for a 1024-bit key on a
156 quiet 00MHz Pentium MMX with plenty of randomness available is 20 sec‐
157 onds, almost all of it in the prime searches. Generating a 2192-bit key
158 on the same system usually takes several minutes. A 4096-bit key took
159 an hour and a half of CPU time.
160 The --oldkey option does not check its input format as rigorously as it
163 might. Corrupted rsasigkey output may confuse it.
164 IPSEC_RSASIGKEY(8)