Re: Duration of rsa key generation process
RSA key generation is time-nondeterministic. The reason why is because candidate prime pairs (generated from the random number generator) must both past primality and relative primality tests. If the tests fail, both are supposed to be discarded and the generation go back to step 1. If you're unlucky and get a lot of numbers that fail the tests, you're going to wait a long time. EC takes a private key generated pretty much arbitrarily, and then calculates the public key from that. Its key generation process is much more time-deterministic. -Kyle H On 7/3/2014 12:46 AM, phildoch wrote: > I tested the generation of a certificate with a keypair RSA 4096 bit on two > different platforms. > > The openssl command I used is: > /openssl req -newkey rsa:4096 -keyout clientKey.pem -out clientReq.pem/ > > There was a huge difference in the time it took on each one of the > platforms. On a first Linux Station it took about 10 seconds. While in the > second Linux embedded board it took almost 2 minutes! > > Is the strength or efficiency of the processors the only way to explain the > difference of time? > > Is there a way to reduce the duration of the process? > > > > > -- > View this message in context: > http://openssl.6102.n7.nabble.com/Duration-of-rsa-key-generation-process-tp51673.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org smime.p7s Description: S/MIME Cryptographic Signature
Re: Duration of rsa key generation process
Hi Benny, Thanks for the usefull info. I built and installed the Haveged daemon on my embedded board. Run it with: ./haveged -w 1028 I checked with command cat /proc/sys/kernel/random/entropy_avail that the available entropy jumps from 128 before running the daemon to >1028 after. But unfortunately it doesn't seem to improve the performance, and it seems that it is even worse. Do I use Haveged daemon properly? Thanks. P.L. -- View this message in context: http://openssl.6102.n7.nabble.com/Duration-of-rsa-key-generation-process-tp51673p51699.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Duration of rsa key generation process
On Thu, Jul 03, 2014 at 12:46:05AM -0700, phildoch wrote: > I tested the generation of a certificate with a keypair RSA 4096 bit on two > different platforms. > > The openssl command I used is: > /openssl req -newkey rsa:4096 -keyout clientKey.pem -out clientReq.pem/ > > There was a huge difference in the time it took on each one of the > platforms. On a first Linux Station it took about 10 seconds. While in the > second Linux embedded board it took almost 2 minutes! > > Is the strength or efficiency of the processors the only way to explain the > difference of time? > > Is there a way to reduce the duration of the process? The issue is probably getting good randomness and your Linux machine might not provide enough. Ciao, Marcus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Duration of rsa key generation process
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, Am 03.07.2014 09:46, schrieb phildoch: > I tested the generation of a certificate with a keypair RSA 4096 > bit on two different platforms. > > The openssl command I used is: /openssl req -newkey rsa:4096 > -keyout clientKey.pem -out clientReq.pem/ > > There was a huge difference in the time it took on each one of the > platforms. On a first Linux Station it took about 10 seconds. While > in the second Linux embedded board it took almost 2 minutes! > > Is the strength or efficiency of the processors the only way to > explain the difference of time? > > Is there a way to reduce the duration of the process? I'm regularly working with 8192 bit RSA keys and it takes about 30 seconds to generate one. This is mainly due to the fact that I'm feeding lots of entropy to the kernel from various sources. On Desktop computers and server you usually have quite some sources to choose from, like hard disk timings, network timings, ... On embedded systems in contrast you are lacking most of those entropy sources and thus it takes much longer for OpenSSL to read enough random data. If you want to speed things up you can have a look at Entropy Gathering Daemons like Haveged that try to gether additional entropy and feed it to the kernel. To get back to my example above: Without an entroy gathering daemon on the same hardware takes multiple minutes. So basically: performance is one factor, but a minor one. Much more important - not only for speed, but for security of the generated key - - is sufficient entropy available to the kernel and thus for OpenSSL. If you lack entropy you get Debianized keys. Regards, BenBE. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJTtQ3YAAoJEPHTXLno4S6t6bUP/3U00Lu68oDRHeo8kRXXrRxe 3Ya+yLwRAzFzZr1NxWgGSHamVymTcY2cR2V7J+xHf1adlSelJtFOyO2iRO9riM5a gQry4Jwzb7etVLqO9i2hy9cKz/ZxQhBd+XRrQvPhRUhfpEz+pRfQ+aemgte3BF7i jTmBwDDHXWQUm7mqpBi7niCHq2rK4oMgyXosYInA1sNfsQWtdVFOpIBehuHxSEGs LX1oFdhV7Oc0aLVljOCeEQM5nPMn1aYllKn/W5UPwuKtCmk6G1G46M/9nM7xIjRR BUM/M6mERkzvwSAtHnamZaHfMG6ofm+LI9MoIb+v8ZguMci9WzZu39h54lpT/bk8 EaU0zA8MvBaDRyhtRVwJrNHEuLHWSAvNS4hYPD57t+R8dHQ5NeJ9nVBD+5F778Td CbyrRrrmFP23a0tY4DQBtULaK8CmSdE2W8W3ewSugkrDW04Y3jJD+IVBxcjhBUuD n7R9WBlQ6g6zt3l6gjBbNMB99w95YBdHpdbhvEKilIT/loUnm6YTxiDVtV+SdWgt VExgVjHMH4vXXjmGk8PdVsqD/fEnvDrHurm2Le31czGKX9GMTkAPVhjp1o3JRAZR iWqs/9T1IvULsbRgRU7xCwt3AD5yLCN7wVGsMKDUj7RP8sdEkoIG4Ul2+R/ZE0Cy nG0znvixjFFMk4Bkm9Eg =Cxwn -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Duration of rsa key generation process
I tested the generation of a certificate with a keypair RSA 4096 bit on two different platforms. The openssl command I used is: /openssl req -newkey rsa:4096 -keyout clientKey.pem -out clientReq.pem/ There was a huge difference in the time it took on each one of the platforms. On a first Linux Station it took about 10 seconds. While in the second Linux embedded board it took almost 2 minutes! Is the strength or efficiency of the processors the only way to explain the difference of time? Is there a way to reduce the duration of the process? -- View this message in context: http://openssl.6102.n7.nabble.com/Duration-of-rsa-key-generation-process-tp51673.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org