On Tue, Mar 25, 2014 at 06:41:38PM +0100, Julien Muchembled wrote: > There has been a recent discussion on debian-devel on this subject: > RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us > bury your old 1024D key!) > > In particular: > > * http://thread.gmane.org/gmane.linux.debian.devel.announce/1893/focus=191567 > > We can read that 4096-bit RSA should be preferred over ECDSA.
No, that email discusses RSA versus ECDSA in the context of PGP keys. Since not all PGP software handles ECDSA keys yet, RSA keys are preferred for now. > * http://thread.gmane.org/gmane.linux.debian.devel.announce/1893/focus=191567 > > How is ECDSA used in Tinc ? It seems a proper implementation is to not rely > on a RNG, as described by RFC 6979. It currently is implemented using the ECDSA functions provided by OpenSSL. I don't think it uses the method from RFC 6979 yet. > http://safecurves.cr.yp.to/ does not list P-521 but there's no reason to > think it does not have any flaw of other NIST curves. E-521 may be a better > choice but it seems too new. Currently I'm strongly thinking about moving to Ed25519 keys, for several reasons: it has a very nice design (efficient constant-time implementation is easy, curve is generated in a non-suspect way), and I can easily add the reference implementation to tinc's source code, just like the OpenSSH folks did. > Then I wonder: would it be possible to choose the algo to use in the new tinc > protocol ? The new protocol will not support choosing arbitrary algorithms. I'm focussing on only one ciphersuite now (ECDHE-ECDSA-AES256GCM), although I think after that has stabilized I will add a second suite as a fallback in case the main one is not trustworthy anymore. > (BTW, when testing ExperimentalProtocol=yes, I was surprised to see that > tincd refuses to start if there's no private RSA key) That will be fixed before 1.1.0 is released. > About performance: > sign verify sign/s verify/s > 521 bit ecdsa (nistp521) 0.0005s 0.0012s 1891.0 829.8 > rsa 4096 bits 0.010225s 0.000164s 97.8 6100.3 > > I guess Tinc uses both operations equally, so RSA would be slower. That's correct. -- Met vriendelijke groet / with kind regards, Guus Sliepen <[email protected]>
signature.asc
Description: Digital signature
_______________________________________________ tinc mailing list [email protected] http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
