On Sep 30, 2010, at 11:41 18AM, Thor Lancelot Simon wrote:

> On Wed, Sep 29, 2010 at 09:22:38PM -0700, Chris Palmer wrote:
>> Thor Lancelot Simon writes:
>>> a significant net loss of security, since the huge increase in computation
>>> required will delay or prevent the deployment of "SSL everywhere".
>> That would only happen if we (as security experts) allowed web developers to
>> believe that the speed of RSA is the limiting factor for web application
>> performance.
> At 1024 bits, it is not.  But you are looking at a factor of *9* increase
> in computational cost when you go immediately to 2048 bits.  At that point,
> the bottleneck for many applications shifts, particularly those which are
> served by offload engines specifically to move the bottleneck so it's not
> RSA in the first place.
> Also, consider devices such as deep-inspection firewalls or application
> traffic managers which must by their nature offload SSL processing in
> order to inspect and possibly modify data before application servers see 
> it.  The inspection or modification function often does not parallelize
> nearly as well as the web application logic itself, and so it is often
> not practical to handle it in a distributed way and "just add more CPU".
> At present, these devices use the highest performance modular-math ASICs
> available and can just about keep up with current web applications'
> transaction rates.  Make the modular math an order of magnitude slower
> and suddenly you will find you can't put these devices in front of some
> applications at all.
> This too will hinder the deployment of "SSL everywhere", and handwaving
> about how for some particular application, the bottleneck won't be at
> the front-end server even if it is an order of magnitude slower for it
> to do the RSA operation itself will not make that problem go away.
While I'm not convinced you're correct, I think that many posters here
underestimate the total cost of SSL.  A friend of mine -- a very competent
friend -- was working on a design for a somewhat sensitive website.  He
really wanted to use SSL -- but the *system* would have cost at least 12x
as much.  There were many issues, but one of them is that the average dwell
time on a web site is very few pages, which means that you have to amortize
the cost of the SSL negotiation over very little actual activity.  

                --Steve Bellovin, http://www.cs.columbia.edu/~smb

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to