diff options
Diffstat (limited to 'doc/manpage.d/ipsec_rsasigkey.8.html')
| -rw-r--r-- | doc/manpage.d/ipsec_rsasigkey.8.html | 401 |
1 files changed, 0 insertions, 401 deletions
diff --git a/doc/manpage.d/ipsec_rsasigkey.8.html b/doc/manpage.d/ipsec_rsasigkey.8.html deleted file mode 100644 index 3173a9f13..000000000 --- a/doc/manpage.d/ipsec_rsasigkey.8.html +++ /dev/null @@ -1,401 +0,0 @@ -Content-type: text/html - -<HTML><HEAD><TITLE>Manpage of IPSEC_RSASIGKEY</TITLE> -</HEAD><BODY> -<H1>IPSEC_RSASIGKEY</H1> -Section: Maintenance Commands (8)<BR>Updated: 22 July 2001<BR><A HREF="#index">Index</A> -<A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR> - - -<A NAME="lbAB"> </A> -<H2>NAME</H2> - -ipsec rsasigkey - generate RSA signature key -<A NAME="lbAC"> </A> -<H2>SYNOPSIS</H2> - -<B>ipsec</B> - -<B>rsasigkey</B> - -[ -<B>--verbose</B> - -] [ -<B>--random</B> - -filename -] -<B>\</B> - -<BR> - - [ -<B>--rounds</B> - -nr -] [ -<B>--hostname</B> - -host ] [ -<B>--noopt</B> - -] nbits -<BR> - -<B>ipsec</B> - -<B>rsasigkey</B> - -[ -<B>--verbose</B> - -] [ -<B>--hostname</B> - -host ] -<B>\</B> - -<BR> - - -[ -<B>--noopt</B> - -] -<B>--oldkey</B> - -file -<A NAME="lbAD"> </A> -<H2>DESCRIPTION</H2> - -<I>Rsasigkey</I> - -generates an RSA public/private key pair, -suitable for digital signatures, -of (exactly) -<I>nbits</I> - -bits (that is, two primes each of exactly -<I>nbits</I>/2 - -bits, -and related numbers) -and emits it on standard output as ASCII (mostly hex) data. -<I>nbits</I> - -must be a multiple of 16. -<P> - -The public exponent is forced to the value -<B>3</B>, - -which has important speed advantages for signature checking. -Beware that the resulting keys have known weaknesses as encryption keys -<I>and should not be used for that purpose</I>. -<P> - -The -<B>--verbose</B> - -option makes -<I>rsasigkey</I> - -give a running commentary on standard error. -By default, it works in silence until it is ready to generate output. -<P> - -The -<B>--random</B> - -option specifies a source for random bits. -The default is -<I>/dev/random</I> - -(see -<I><A HREF="random.4.html">random</A></I>(4)). - -Normally, -<I>rsasigkey</I> - -reads exactly -<I>nbits</I> - -random bits from the source; -in extremely-rare circumstances it may need more. -<P> - -The -<B>--rounds</B> - -option specifies the number of rounds to be done by the -<I>mpz_probab_prime_p</I> - -probabilistic primality checker. -The default, 30, is fairly rigorous and should not normally -have to be overridden. -<P> - -The -<B>--hostname</B> - -option specifies what host name to use in -the first line of the output (see below); -the default is what -<I><A HREF="gethostname.2.html">gethostname</A></I>(2) - -returns. -<P> - -The -<B>--noopt</B> - -option suppresses an optimization of the private key -(to be precise, setting of the decryption exponent to -<B>lcm(p-1,q-1)</B> - -rather than -<B>(p-1)*(q-1)</B>) - -which speeds up operations on it slightly -but can cause it to flunk a validity check in old RSA implementations -(notably, obsolete versions of -<I><A HREF="ipsec_pluto.8.html">ipsec_pluto</A></I>(8)). - -<P> - -The -<B>--oldkey</B> - -option specifies that rather than generate a new key, -<I>rsasigkey</I> - -should read an old key from the -<I>file</I> - -(the name -<B>-</B> - -means ``standard input'') -and use that to generate its output. -Input lines which do not look like -<I>rsasigkey</I> - -output are silently ignored. -This permits updating old keys to the current format. -<P> - -The output format looks like this (with long numbers trimmed down -for clarity): -<P> - - -<PRE> - # RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000 - # for signatures only, UNSAFE FOR ENCRYPTION - #pubkey=0sAQOF8tZ2NZt...Y1P+buFuFn/ - Modulus: 0xcc2a86fcf440...cf1011abb82d1 - PublicExponent: 0x03 - # everything after this point is secret - PrivateExponent: 0x881c59fdf8...ab05c8c77d23 - Prime1: 0xf49fd1f779...46504c7bf3 - Prime2: 0xd5a9108453...321d43cb2b - Exponent1: 0xa31536a4fb...536d98adda7f7 - Exponent2: 0x8e70b5ad8d...9142168d7dcc7 - Coefficient: 0xafb761d001...0c13e98d98 -</PRE> - -<P> - -The first (comment) line, -indicating the nature and date of the key, -and giving a host name, -is used by -<I><A HREF="ipsec_showhostkey.8.html">ipsec_showhostkey</A></I>(8) - -when generating some forms of key output. -<P> - -The commented-out -<B>pubkey=</B> - -line contains the public key---the public exponent and the modulus---combined -in approximately RFC 2537 format -(the one deviation is that the combined value is given with a -<B>0s</B> - -prefix, rather than in unadorned base-64), -suitable for use in the -<I>ipsec.conf</I> - -file. -<P> - -The -<B>Modulus</B>, - -<B>PublicExponent</B>, - -and -<B>PrivateExponent</B> - -lines give the basic signing and verification data. -<P> - -The -<B>Prime1</B> - -and -<B>Prime2</B> - -lines give the primes themselves (aka -<I>p</I> - -and -<I>q</I>), - -largest first. -The -<B>Exponent1</B> - -and -<B>Exponent2</B> - -lines give -the private exponent mod -<I>p-1</I> - -and -<I>q-1</I> - -respectively. -The -<B>Coefficient</B> - -line gives the Chinese Remainder Theorem coefficient, -which is the inverse of -<I>q</I>, - -mod -<I>p</I>. - -These additional numbers (which must all be kept as secret as the -private exponent) are precomputed aids to rapid signature generation. -<P> - -No attempt is made to break long lines. -<P> - -The US patent on the RSA algorithm expired 20 Sept 2000. -<A NAME="lbAE"> </A> -<H2>EXAMPLES</H2> - -<DL COMPACT> -<DT><B>ipsec rsasigkey --verbose 2192 >mykey</B> - -<DD> -generates a 2192-bit signature key and puts it in the file -<I>mykey</I>, - -with running commentary on standard error. -The file contents can be inserted verbatim into a suitable entry in the -<I>ipsec.secrets</I> - -file (see -<I><A HREF="ipsec.secrets.5.html">ipsec.secrets</A></I>(5)), - -and the public key can then be extracted and edited into the -<I>ipsec.conf</I> - -file (see -<I><A HREF="ipsec.conf.5.html">ipsec.conf</A></I>(5)). - -<DT><B>ipsec rsasigkey --verbose --oldkey oldie >latest</B> - -<DD> -takes the old signature key from file -<I>oldie</I> - -and puts a version in the current format into the file -<I>latest</I>, - -with running commentary on standard error. -</DL> -<A NAME="lbAF"> </A> -<H2>FILES</H2> - -/dev/random -<A NAME="lbAG"> </A> -<H2>SEE ALSO</H2> - -<A HREF="random.4.html">random</A>(4), <A HREF="ipsec_showhostkey.8.html">ipsec_showhostkey</A>(8) -<BR> - -<I>Applied Cryptography</I>, 2nd. ed., by Bruce Schneier, Wiley 1996. -<BR> - -RFCs 2537, 2313. -<BR> - -<I>GNU MP, the GNU multiple precision arithmetic library, edition 2.0.2</I>, -by Torbj Granlund. -<A NAME="lbAH"> </A> -<H2>HISTORY</H2> - -Written for the Linux FreeS/WAN project -<<A HREF="http://www.freeswan.org">http://www.freeswan.org</A>> -by Henry Spencer. -<A NAME="lbAI"> </A> -<H2>BUGS</H2> - -There is an internal limit on -<I>nbits</I>, - -currently 20000. -<P> - -<I>Rsasigkey</I>'s - -run time is difficult to predict, -since -<I>/dev/random</I> - -output can be arbitrarily delayed if -the system's entropy pool is low on randomness, -and the time taken by the search for primes is also somewhat unpredictable. -A reasonably typical time for a 1024-bit key on a quiet 200MHz Pentium MMX -with plenty of randomness available is 20 seconds, -almost all of it in the prime searches. -Generating a 2192-bit key on the same system usually takes several minutes. -A 4096-bit key took an hour and a half of CPU time. -<P> - -The -<B>--oldkey</B> - -option does not check its input format as rigorously as it might. -Corrupted -<I>rsasigkey</I> - -output may confuse it. -<P> - -<HR> -<A NAME="index"> </A><H2>Index</H2> -<DL> -<DT><A HREF="#lbAB">NAME</A><DD> -<DT><A HREF="#lbAC">SYNOPSIS</A><DD> -<DT><A HREF="#lbAD">DESCRIPTION</A><DD> -<DT><A HREF="#lbAE">EXAMPLES</A><DD> -<DT><A HREF="#lbAF">FILES</A><DD> -<DT><A HREF="#lbAG">SEE ALSO</A><DD> -<DT><A HREF="#lbAH">HISTORY</A><DD> -<DT><A HREF="#lbAI">BUGS</A><DD> -</DL> -<HR> -This document was created by -<A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>, -using the manual pages.<BR> -Time: 21:40:18 GMT, November 11, 2003 -</BODY> -</HTML> |