Re: RSA_private_decrypt across processes

Wed, 04 May 2011 12:35:56 -0700
Well, this is not quiet adapted to the situation. OpenSSL is a library and it doesn't spawn any process. Moreover, the issue is with the internal builtin RNG of OpenSSL and a simple user of OpenSSL can not change its implementation. Apart from a change to OpenSSL internal, the only option is to implement an engine that exports its own RNG implementation through a custom RAND_METHOD structure. 

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr


On 5/4/2011 7:02 PM, carlyo...@keycomm.co.uk wrote:

Start second process as a daemon so it only does the entropy gathering 
at process start-up?




*On Wed 04/05/11 5:35 PM , Mounir IDRASSI mounir.idra...@idrix.net sent:
*


    Indeed, their have been already a modification to OpenSSL in order to
    limit the observed delay but that doesn't completely solve the
    problem.
    This issue is linked to an internal design of OpenSSL which uses heap
    walking as a mean to gather entropy and unfortunately Windows 7 have
    made this mechanism more expensive than previous Windows versions.
    So,
    this issue won't be solved unless there is a major change to OpenSSL
    entropy gathering architecture, which doesn't appear to be coming any
    time soon.

    Cheers,
    --
    Mounir IDRASSI
    IDRIX
    http://www.idrix.fr

    On 5/4/2011 6:14 PM, Ashwin Chandra wrote:
    > Okay I read the complete bug report and it looks like there is a
    fix in
    > the latest openssl. However I checked it out and it limits the
    maximum
    > time RAND_poll will take to a second. 1000ms. Is there any other
    way to
    > speed this up?
    >
    > -----Original Message-----
    > From: owner-openssl-us...@openssl.org
    <mailto:owner-openssl-us...@openssl.org>
    > [owner-openssl-us...@openssl.org
    <mailto:owner-openssl-us...@openssl.org>] On Behalf Of Mounir IDRASSI
    > Sent: Wednesday, May 04, 2011 4:47 AM
    > To: openssl-users@openssl.org <mailto:openssl-users@openssl.org>
    > Subject: Re: RSA_private_decrypt across processes
    >
    > Hi,
    >
    > This could be related to the slowness of RAND_poll under Windows
    7. See
    > :
    > http://rt.openssl.org/Ticket/Display.html?id=2100&user=guest&pass=guest 
<http://webmail.keycomm.co.uk/parse.php?redirect=http%3A%2F%2Frt.openssl.org%2FTicket%2FDisplay.html%3Fid%3D2100%26user%3Dguest%26pass%3Dguest>
    > Your second process is certainly trying to initialize its RNG and
    that's
    > why you see this delay.
    > Do you confirm that you are executing these processes under
    Windows 7?
    >
    > --
    > Mounir IDRASSI
    > IDRIX
    > http://www.idrix.fr
    <http://webmail.keycomm.co.uk/parse.php?redirect=http%3A%2F%2Fwww.idrix.fr>
    >
    > On 5/4/2011 7:02 AM, Ashwin Chandra wrote:
    >> I generate an RSA key using RSA_generate_key in one process. I then
    >> take the RSA structure that is generated and serialize it and
    send it
    >> to another process via an RPC mechanism. In the other process I then
    >> de-serialize the RSA data and use that as input to an
    >> RSA_private_decrypt function to decrypt some data that was
    previously
    >> encrypted with the RSA public key.
    >>
    >> This works fine and I am able to decrypt the data successful,
    HOWEVER,
    >> it takes a long time to do so, like up to 2 seconds. It is almost as
    >> if it is doing another key generation in the background. Note
    that if
    >> I do this RSA_private_decrypt in the same process as the one that
    >> generated the key, it takes around 20-30 ms.
    >>
    >> This leads me to think that maybe there is some static data that the
    >> openssl library uses in RSA_private_decrypt that was cached when I
    >> generated the key and now is not available since it is a new
    process.
    >>
    >> Can anyone enlighten me on this?
    >>
    > ______________________________________________________________________
    > OpenSSL Project http://www.openssl.org
    
<http://webmail.keycomm.co.uk/parse.php?redirect=http%3A%2F%2Fwww.openssl.org>
    > User Support Mailing List openssl-users@openssl.org
    <mailto:openssl-users@openssl.org>
    > Automated List Manager majord...@openssl.org
    <mailto:majord...@openssl.org>
    >
    >
    > ______________________________________________________________________
    > OpenSSL Project http://www.openssl.org
    
<http://webmail.keycomm.co.uk/parse.php?redirect=http%3A%2F%2Fwww.openssl.org>
    > User Support Mailing List openssl-users@openssl.org
    <mailto:openssl-users@openssl.org>
    > Automated List Manager majord...@openssl.org
    <mailto:majord...@openssl.org>

    ______________________________________________________________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    <mailto:openssl-users@openssl.org>
    Automated List Manager majord...@openssl.org
    <mailto:majord...@openssl.org>




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to