On Sep 30, 2010, at 11:41 18AM, Thor Lancelot Simon wrote: > On Wed, Sep 29, 2010 at 09:22:38PM -0700, Chris Palmer wrote: >> Thor Lancelot Simon writes: >> >>> a significant net loss of security, since the huge increase in computation >>> required will delay or prevent the deployment of "SSL everywhere". >> >> That would only happen if we (as security experts) allowed web developers to >> believe that the speed of RSA is the limiting factor for web application >> performance. > > At 1024 bits, it is not. But you are looking at a factor of *9* increase > in computational cost when you go immediately to 2048 bits. At that point, > the bottleneck for many applications shifts, particularly those which are > served by offload engines specifically to move the bottleneck so it's not > RSA in the first place. > > Also, consider devices such as deep-inspection firewalls or application > traffic managers which must by their nature offload SSL processing in > order to inspect and possibly modify data before application servers see > it. The inspection or modification function often does not parallelize > nearly as well as the web application logic itself, and so it is often > not practical to handle it in a distributed way and "just add more CPU". > > At present, these devices use the highest performance modular-math ASICs > available and can just about keep up with current web applications' > transaction rates. Make the modular math an order of magnitude slower > and suddenly you will find you can't put these devices in front of some > applications at all. > > This too will hinder the deployment of "SSL everywhere", and handwaving > about how for some particular application, the bottleneck won't be at > the front-end server even if it is an order of magnitude slower for it > to do the RSA operation itself will not make that problem go away. > While I'm not convinced you're correct, I think that many posters here underestimate the total cost of SSL. A friend of mine -- a very competent friend -- was working on a design for a somewhat sensitive website. He really wanted to use SSL -- but the *system* would have cost at least 12x as much. There were many issues, but one of them is that the average dwell time on a web site is very few pages, which means that you have to amortize the cost of the SSL negotiation over very little actual activity. >
--Steve Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com