More documentation about key size and OpenSSL compatibility

sybrenstuvel · sybrenstuvel · commit 58fe9468aaeb · 2011-08-03T13:56:32.000+02:00
diff --git a/doc/compatibility.rst b/doc/compatibility.rst
@@ -27,24 +27,25 @@ Public keys:
 :ref:`VARBLOCK <bigfiles>` encryption:
     Python-RSA only, not compatible with any other known application.
 
+.. _openssl:
 
-Public keys from OpenSSL
+Interoperability with OpenSSL
 --------------------------------------------------
 
+You can create a 512-bit RSA key in OpenSSL as follows::
+
+    openssl genrsa -out myprivatekey.pem 512
+
 To get a Python-RSA-compatible public key from OpenSSL, you need the
-private key. Get the private key in PEM or DER format and run it
-through the ``pyrsa-priv2pub`` command::
-
- 
- Usage: pyrsa-priv2pub [options]
- 
- Reads a private key and outputs the corresponding public key. Both
- private and public keys use the format described in PKCS#1 v1.5
- 
- Options:
-   -h, --help         show this help message and exit
-   --in=INFILENAME    Input filename. Reads from stdin if not specified
-   --out=OUTFILENAME  Output filename. Writes to stdout of not specified
-   --inform=INFORM    key format of input - default PEM
-   --outform=OUTFORM  key format of output - default PEM
+private key first, then run it through the ``pyrsa-priv2pub``
+command::
+
+    pyrsa-priv2pub -i myprivatekey.pem -o mypublickey.pem
+
+Encryption and decryption is also compatible::
+
+    $ echo hello there > testfile.txt
+    $ pyrsa-encrypt -i testfile.txt -o testfile.rsa publickey.pem
+    $ openssl rsautl -in testfile.rsa -inkey privatekey.pem -decrypt
+    hello there
 
diff --git a/doc/usage.rst b/doc/usage.rst
@@ -44,8 +44,9 @@ encrypt. If you don't mind having a slightly smaller key than you
 requested, you can pass ``accurate=False`` to speed up the key
 generation process.
 
-These are some timings from my netbook (Linux 2.6, 1.6 GHz Intel Atom
-N270 CPU, 2 GB RAM):
+These are some average timings from my netbook (Linux 2.6, 1.6 GHz
+Intel Atom N270 CPU, 2 GB RAM). Since key generation is a random
+process, times may differ.
 
 +----------------+------------------+
 | Keysize (bits) | Time to generate |
@@ -69,6 +70,36 @@ N270 CPU, 2 GB RAM):
 | 2048           | 132.97 sec.      |
 +----------------+------------------+
 
+If key generation is too slow for you, you could use OpenSSL to
+generate them for you, then load them in your Python code. See
+:ref:`openssl` for more information.
+
+Key size requirements
+--------------------------------------------------
+
+Python-RSA version 3.0 introduced PKCS#1-style random padding. This
+means that 11 bytes (88 bits) of your key are no longer usable for
+encryption, so keys smaller than this are unusable. The larger the
+key, the higher the security.
+
+Creating signatures also requires a key of a certain size, depending
+on the used hash method:
+
++-------------+-----------------------------------+
+| Hash method | Suggested minimum key size (bits) |
++=============+===================================+
+| MD5         | 360                               |
++-------------+-----------------------------------+
+| SHA-1       | 368                               |
++-------------+-----------------------------------+
+| SHA-256     | 496                               |
++-------------+-----------------------------------+
+| SHA-384     | 624                               |
++-------------+-----------------------------------+
+| SHA-512     | 752                               |
++-------------+-----------------------------------+
+
+
 
 Encryption and decryption
 --------------------------------------------------
diff --git a/rsa/cli.py b/rsa/cli.py
@@ -41,7 +41,7 @@ def keygen():
             'not saved if this option is not present. You can use '
             'pyrsa-priv2pub to create the public key file later.')
     
-    parser.add_option('--out', type='string',
+    parser.add_option('-o', '--out', type='string',
             help='Output filename for the private key. The key is '
             'written to stdout if this option is not present.')
 
@@ -142,10 +142,10 @@ def parse_cli(self):
 
         parser = OptionParser(usage=self.usage, description=self.description)
         
-        parser.add_option('--input', type='string', help=self.input_help)
+        parser.add_option('-i', '--input', type='string', help=self.input_help)
 
         if self.has_output:
-            parser.add_option('--output', type='string', help=self.output_help)
+            parser.add_option('-o', '--output', type='string', help=self.output_help)
 
         parser.add_option('--keyform',
                 help='Key format of the %s key - default PEM' % self.keyname,
diff --git a/rsa/util.py b/rsa/util.py
@@ -30,9 +30,9 @@ def private_to_public():
             'corresponding public key. Both private and public keys use '
             'the format described in PKCS#1 v1.5')
 
-    parser.add_option('--in', dest='infilename', type='string',
+    parser.add_option('-i', '--input', dest='infilename', type='string',
             help='Input filename. Reads from stdin if not specified')
-    parser.add_option('--out', dest='outfilename', type='string',
+    parser.add_option('-o', '--output', dest='outfilename', type='string',
             help='Output filename. Writes to stdout of not specified')
 
     parser.add_option('--inform', dest='inform',
