> -----Original Message----- > From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Jakob Bohm > Sent: Friday, December 21, 2012 8:23 PM > To: openssl-users@openssl.org > Subject: Re: RSA_private_decrypt function takes longer time. > > On 12/21/2012 1:13 PM, Tayade, Nilesh wrote: > > Hi, > > > > I am using the RSA_private_decrypt() function in one of the custom > applications, where we expect the premaster to get decrypted faster. [...]
> The explanation is simple: > > The cost of an RSA operation depends on the number of bits in the > exponent used (private or public). Choosing the private or public > exponent can speed up the operation with that exponent, but also > seriously reduces the number of "guesses" needed to figure out what > that chosen exponent is. So it is insecure to do so for the private > key, and the best one can do is to choose an easy exponent for the > public key (typically 0x10001=65537), which makes the public key > operation much faster than the private key operations, but doesn't > slow down the private key operation compared to using a random > number for the public exponent. > > So the RSA private key operation (in *any* quality implementation) is > almost always much slower than the public key operation. > > Some things that can speed up the private key operation without > compromising security: Thanks Jakob. > - Make sure your stored private key includes the extra numbers to speed > up the calculation using the Chinese remainder theorem trick (OpenSSL > can work with or without them, but operating with them is faster. > There are mathematical formulas for converting a "d only" private key > to a Chinese remainder private key without having to generate new keys, > so it is a one time configuration task. Coming back to this. I dumped the PEM key in text format, and it shows n, d, dQ, dP, qInv, p and q. Does that mean my private key is not just a 'd-only' key? > > - To thwart timing attacks on RSA in network protocols, OpenSSL does > some extra "masking operations" before using a private key. You may be > able to coach OpenSSL into setting up a precomputed pool of masking > data structures before the incoming network requests arrive, thus > shaving some time off the response time, especially if the load is a > little uneven, rather than a sustained maximum-capacity test load. I would appreciate any link or further pointers on this. I am not so familiar with operations on RSA key. > > Enjoy > > Jakob > -- -- Thanks, Nilesh ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
