Asked by:
Makecert.exe: What is the aproximately size of prime numbers used to generate an RSA 1024 bits. key pair?
Question

Hi!
I am developing a C# application that needs SSL secure traffic over the network. I am planning to make a selfsigned certificate to a SQL Server to secure that traffic.
I have found the makecert application to make the certificate, but I do not know it is really secure the way it generates the private and public key. I have searched a lot in the web but did not find anything.
If anyone know the answer o a place where I can find information, it will very appreciated.
Thank you all in advance!
Note: I really do not know if this is te best place of the forum to post this question, if not, please tell me and I will move it.
All replies




If you really want to know the keysize of 1024 bits refers to the modulus N not the random primes p & q which are usually in the same range but don't have to be the exact size. If you just want to know if its secure, sure 1024 bit should do it for quite a while.

First of all, I wat to thank all your replies.
I don´t know if I have been clear in my question.
I´m refering to the complexity of the choise of the 2 prime numbers that make origin to the key. Let´s supose that makecert pick the 2 prime numbers from the pool 115. So the first operation of the key generation will be, for example, 7 x 13. And there won´t be a lot of choises so it will be easy to simulate all the keys that can be generated by makecert.exe...
So, anyone know how makecert choose those numbers? For example, it will be more secure if makecert choose numbers from 9999999 to 9999999999999 than the pool 1 to 15...
Thank you all again! 
It has no other choice then to pick large primes to satisfy the need for a 1024 bit N. Even if it did choose 7 as one of the primes the other prime should be somewhere in the (2^1024)/7 = 2.5681330498033084396132931296986e+307 range. Remember whoever is bruteforcing your key does not know the value of N and therefore has to compute both primes.

Thank you very much Ray M!
It´s clear what you are saying about the pool, but apart from the size it would be important to know how makecert.exe pick those numbers... if is not well done it will pick almost the same numbers every time it executes... I mean, it may be an algorithm that take some probabilist parametrs to make a good choise...
For example, it won´t be a good algorithm that pick the first prime number repeating the current year (2009) until it has the length it needs, and the other prime number adding one to the current year... let´s say:
1st. prime number: 2009200920092009200920092009200920092009200920092009200920092009200920092009200920092009200920092009.....
2nd. prime number: 2010201020102010201020102010201020102010201020102010201020102010201020102010201020102010201020102010....
So if the algorithm hasn´t enough complexity making the choise, it will be very easy to guess all the key pairs made by makecert.exe... do you know what I mean?
Thank you again! 
Now that wouldn't be very random now would it? At this point there is no indication that the key selection in the RSA crypto provider has a weakness but if you still have doubts and want to use something that comes with source you can inspect grab a copy of openssl to make your keys.

OK Ray, so there is no way to find out how it takes those prime numbers... you are right that if we look at the open source code of OpenSSL we can realize how it takes it!
Thank you very much for your replies! I really appreciate your attention!

So, will Microsoft answer this question?