On Jul 26, 2011, at 11:13 AM, Scott Fluhrer (sfluhrer) wrote: > > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of Yoav Nir >> Sent: Tuesday, July 26, 2011 6:40 AM >> To: Prashant Batra (prbatra) >> Cc: [email protected] >> Subject: Re: [IPsec] DH keys calculation performance >> >> >> On Jul 25, 2011, at 11:29 PM, Prashant Batra (prbatra) wrote: >> >>> Hello, >>> >>> The DH exchange (Calculation of Public/Private key and the Secret) > in >>> IKEV2 Initial exchange >>> seems to be very expensive. This is slowing down the overall IKEv2 >>> tunnel establishment. >>> Is there a way to optimize it? >> >> Hi Prashant. >> >> I know of three ways to optimize the D-H exchange. >> >> First, note that each peer has to perform two operations: >> >> Second, note that 2^73 mod p = ((2^64 mod p) * (2^8 mod p) * (2^1 mod >> p)) mod p If you're using a 2048-bit D-H group, you can pre-calculate >> 2^x mod p for 0<=x<=2048 and store these values. > > Surely, you mean something like 0<=x<320 or so. When you create a DH > shared secret for a MODP group, it is pointless to create a secret as > big as the prime. Against DH, there are two known types of attacks: > (A) Attacks that take time based on the modulus (and don't > depend on the value of the exponent at all) > (B) Attacks that take time based on the exponent (and don't > depend that much on the value of the modulus) > What you want to do is pick your exponent just large enough that (B) > attacks take about as long as (A) attacks; making the exponent any > larger than that will make it more expensive for you without making it > any more secure (because an attacker can just go ahead with an (A) > attack); while making it smaller will make it less secure (because a (B) > attack becomes easier).
Yes. My bad.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
