[Cryptography] OpenSSL: rsa_builtin_keygen: key size too small

Viktor Dukhovni cryptography at dukhovni.org
Sun Dec 22 20:37:05 EST 2019

> On Dec 22, 2019, at 12:33 PM, Henry Baker <hbaker1 at pipeline.com> wrote:
> I'm developing a system that utilizes public key encryption, but it
> is exceptionally computationally intensive (at least for the machine
> that I'm developing it on).

Is this some sort of embedded device with extremely limited CPU
resources?  Can it be simulated at higher speed during development?

Is OpenSSL the right toolkit for the device in question?  There are
likely other libraries specifically targeted at that segment of the

> I tried to downgrade the encryption just for the development phase,
> but OpenSSL won't allow me to use keys smaller than 512 bits.

That's compiled in and not configurable.

> Does anyone know how to turn off this error message in order to
> work with much smaller keys?
> openssl genrsa -out key128.pem 128
> "key size too small"

You'd have to recompile OpenSSL:

crypto/rsa/rsa_local.h:14:#define RSA_MIN_MODULUS_BITS    512
crypto/rsa/rsa_gen.c:76:    if (bits < RSA_MIN_MODULUS_BITS) {
crypto/rsa/rsa_gen.c-77-        ok = 0;             /* we set our own err */
crypto/rsa/rsa_gen.c-78-        RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
crypto/rsa/rsa_gen.c-79-        goto err;
crypto/rsa/rsa_pmeth.c:464:        if (p1 < RSA_MIN_MODULUS_BITS) {
crypto/rsa/rsa_pmeth.c-465-            RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_SIZE_TOO_SMALL);
crypto/rsa/rsa_pmeth.c-466-            return -2;


More information about the cryptography mailing list