> -----Original Message----- > From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Jakob Bohm > Sent: Friday, December 21, 2012 8:23 PM > To: openssl-users@openssl.org > Subject: Re: RSA_private_decrypt function takes longer time. > > On 12/21/2012 1:13 PM, Tayade, Nilesh wrote: > > Hi, > > > > I am using the RSA_private_decrypt() function in one of the custom > applications, where we expect the premaster to get decrypted faster. [...]
> The explanation is simple: > > The cost of an RSA operation depends on the number of bits in the > exponent used (private or public). Choosing the private or public > exponent can speed up the operation with that exponent, but also > seriously reduces the number of "guesses" needed to figure out what > that chosen exponent is. So it is insecure to do so for the private > key, and the best one can do is to choose an easy exponent for the > public key (typically 0x10001=65537), which makes the public key > operation much faster than the private key operations, but doesn't > slow down the private key operation compared to using a random > number for the public exponent. > > So the RSA private key operation (in *any* quality implementation) is > almost always much slower than the public key operation. Thanks for that explanation. > Some things that can speed up the private key operation without > compromising security: > > - Make sure your stored private key includes the extra numbers to speed > up the calculation using the Chinese remainder theorem trick (OpenSSL > can work with or without them, but operating with them is faster. > There are mathematical formulas for converting a "d only" private key > to a Chinese remainder private key without having to generate new keys, > so it is a one time configuration task. Is the conversion supported by openssl utility (e.g. the way we convert .PEM to PKCS8 format openssl pkcs8 -topk8 -in <PEM file> -out <PKCS8 format file>)? Does openssl support PEM to CRT conversion? I did not get any direct command for this conversion. > > - To thwart timing attacks on RSA in network protocols, OpenSSL does > some extra "masking operations" before using a private key. You may be > able to coach OpenSSL into setting up a precomputed pool of masking > data structures before the incoming network requests arrive, thus > shaving some time off the response time, especially if the load is a > little uneven, rather than a sustained maximum-capacity test load. > -- Thanks, Nilesh > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com > Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
