Makecert.exe: What is the aproximately size of prime numbers used to generate an RSA 1024 bits. key pair? RRS feed

  • Question

  • Hi!

    I am developing a C# application that needs SSL secure traffic over the network. I am planning to make a self-signed certificate to a SQL Server to secure that traffic.

    I have found the makecert application to make the certificate, but I do not know it is really secure the way it generates the private and public key. I have searched a lot in the web but did not find anything.

    If anyone know the answer o a place where I can find information, it will very appreciated.

    Thank you all in advance!

    Note: I really do not know if this is te best place of the forum to post this question, if not, please tell me and I will move it.
    Sunday, February 22, 2009 7:46 PM

All replies

  • You may try use C# forums.

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. http://forums.msdn.microsoft.com/en-US/vssetup/thread/60424309-bd78-4ca2-b618-03c4a16123b6
    Tuesday, February 24, 2009 4:03 AM
  • Hi! Thakn you for your reply, but I think this is NOT a topic of C#, because makecert.exe is part of the .Net framework and not just part of C#...
    Tuesday, February 24, 2009 6:22 PM
  • 56-bit RSA is considered insecure today.  A 64-bit key was broken with 70,000 home PCs in 5 years.  The answer to breaking a 1024 key is 42.
    Hans Passant.
    Wednesday, February 25, 2009 3:48 AM
  • If you really want to know the keysize of 1024 bits refers to the modulus N not the random primes p & q which are usually in the same range but don't have to be the exact size. If you just want to know if its secure, sure 1024 bit should do it for quite a while.

    Wednesday, February 25, 2009 11:26 PM
  • First of all, I wat to thank all your replies.

    I don´t know if I have been clear in my question.

    I´m refering to the complexity of the choise of the 2 prime numbers that make origin to the key. Let´s supose that makecert pick the 2 prime numbers from the pool 1-15. So the first operation of the key generation will be, for example, 7 x 13. And there won´t be a lot of choises so it will be easy to simulate all the keys that can be generated by makecert.exe...

    So, anyone know how makecert choose those numbers? For example, it will be more secure if makecert choose numbers from 9999999 to 9999999999999 than the pool 1 to 15...

    Thank you all again!
    Thursday, February 26, 2009 10:57 AM
  • It has no other choice then to pick large primes to satisfy the need for a 1024 bit N. Even if it did choose 7 as one of the primes the other prime should be somewhere in the (2^1024)/7 = 2.5681330498033084396132931296986e+307 range. Remember whoever is bruteforcing your key does not know the value of N and therefore has to compute both primes.

    Thursday, February 26, 2009 2:56 PM
  • Thank you very much Ray M!

    It´s clear what you are saying about the pool, but apart from the size it would be important to know how makecert.exe pick those numbers... if is not well done it will pick almost the same numbers every time it executes... I mean, it may be an algorithm that take some probabilist parametrs to make a good choise...

    For example, it won´t be a good algorithm that pick the first prime number repeating the current year (2009) until it has the length it needs, and the other prime number adding one to the current year... let´s say:
    1st. prime number: 2009200920092009200920092009200920092009200920092009200920092009200920092009200920092009200920092009.....
    2nd. prime number: 2010201020102010201020102010201020102010201020102010201020102010201020102010201020102010201020102010....

    So if the algorithm hasn´t enough complexity making the choise, it will be very easy to guess all the key pairs made by makecert.exe... do you know what I mean?

    Thank you again!
    Thursday, February 26, 2009 3:37 PM
  • Now that wouldn't be very random now would it?  At this point there is no indication that the key selection in the RSA crypto provider has a weakness but if you still have doubts and want to use something that comes with source you can inspect grab a copy of openssl to make your keys.

    Thursday, February 26, 2009 4:28 PM
  • OK Ray, so there is no way to find out how it takes those prime numbers... you are right that if we look at the open source code of OpenSSL we can realize how it takes it!

    Thank you very much for your replies! I really appreciate your attention!


    So, will Microsoft answer this question?
    Thursday, February 26, 2009 5:57 PM