در تاریخ چهارشنبه ۲۹ ژانویهٔ ۲۰۲۰، ۰:۰۵ Viktor Dukhovni <
openssl-us...@dukhovni.org> نوشت:
> On Tue, Jan 28, 2020 at 06:24:06PM +, Dan Heinz wrote:
>
> > >RSA is not intended for bulk data decryption, its intended uses are
> > >key transport and signing. Bulk data decryption is done via AES or
> > >similar.
>
> It sounds like you're directly encrypting data with RSA. That's a
> mistake. RSA is for decrypting a symmetric algorithm key, that then
> decrypts the data.
>
> > >Are you sure that's seconds and not milliseconds? These are absurdly
> > >long times, almost certainly dominated by factors other than the
> > >encryption algorithms. On my 2015 laptop (MacOS) I get:
> >
> > Yes, it is seconds.
>
> Sorry, 0.6 seconds for a single 1024-bit RSA_private_decrypt() (128
> bytes of data) is not plausible, but you say you have just over 8KB of
> data, which would take ~65 calls to RSA_private_decrypt() to decrypt
> piecewise. It sure looks like you're measuring something other than
> what you claim to be measuring, or not describing it accurately.
>
> OpenSSL 1.1.1c-dev xx XXX
> options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int)
> blowfish(ptr)
> compiler: cc -fPIC -arch x86_64 -g -O0 -Wall -DL_ENDIAN -DOPENSSL_PIC
> -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM
> -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM
> -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM
> -D_REENTRANT
> signverifysign/s verify/s
> rsa 1024 bits 0.000135s 0.13s 7414.8 78566.9
>
> On my laptop RSA_private_decrypt (aka sign) takes 135 microseconds. You
> claim 600 milliseconds for perhaps ~60 calls, which might be 10ms each,
> but that still is about two orders of magnitude too slow.
>
> So, sorry whatever you're measuring, it is not the performance of
> RSA_private_decrypt().
>
> > While I'm ok with the execution speed with OpenSSL 1.0.2, I'd like to
> > figure out why the times doubled with OpenSSL 1.1.1.
>
> Neither is a reasonable performance level, but also it is not reasonable
> to use RSA for bulk data encryption.
>
> > I'm logging times before and after the calls to RSA_private_decrypt.
>
> How many calls? What else is happening to feed the data into the
> decryption algorithm, and reassemble the output?
>
> > With OpenSSL 1.0.2 it takes on average about 4-8 milliseconds for each
> > RSA_private_decrypt call. With OpenSSL 1.1.1d, it takes 10-15
> > milliseconds for each RSA_private_decrypt call.
>
> Now we see that you're in fact chunking data for multiple calls to
> "decrypt" via RSA. That's a fatal design flaw. This is not a valid
> operating mode for RSA. You MUST NOT do this.
>
> > >> I'm wondering if perhaps my build configuration is incorrect or
> > >> missing something for the 1.1.1d build. Here are the configuration
> > >> parameters for the 64-bit build:
>
> You have a deeper problem, your use of RSA is broken.
>
> > The data being decrypted is local on the client machine and is just an
> XML file.
> > RSA key is 1024 bits.
> > I'm using OAEP padding.
>
> This is a mistake, for asymmetric encryption you should be using CMS.
>
> > Thank you for the information. I removed it from the configuration
> > parameters. I didn't really notice a difference in execution time
> > though. I also removed the no-asm parameter, setup nasm, and rebuilt
> > with no noticeable changes.
>
> Likely the time is dominated by something other than the RSA operations,
> but since those are mistake anyway, it hardly matters.
>
> > > I logged things granular enough to see the speed difference was in
> > > RSA_private_decrypt, but I'm not sure why it is so much slower with
> > > 1.1.1d. Any help or ideas would be appreciated!
>
> STOP. Fix your design to use CMS. Report any performance differences
> in CMS between 1.0.2 and 1.1.1 when built correctly with asm support.
>
> > >At 600ms for 8KB, it is not plausible that the time is spend doing
> > >cryptography. That's barely fast enough to feed a 1980's modem.
> >
> > I would expect the execution times to be more in line with what I saw
> > with Linux for both 1.0.2 and 1.1.1. But even so, I do not understand
> > why just upgrading to 1.1.1 causes the RSA_private_decrypt calls to
> > double in execution time from what they were with 1.0.2?
>
> I would expect execution times that are 2 to 3 orders of magnitude
> faster, especially if you were using sound cryptographic primitives.
>
> --
> Viktor.
>
