-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi,
Am 03.07.2014 09:46, schrieb phildoch: > I tested the generation of a certificate with a keypair RSA 4096 > bit on two different platforms. > > The openssl command I used is: /openssl req -newkey rsa:4096 > -keyout clientKey.pem -out clientReq.pem/ > > There was a huge difference in the time it took on each one of the > platforms. On a first Linux Station it took about 10 seconds. While > in the second Linux embedded board it took almost 2 minutes! > > Is the strength or efficiency of the processors the only way to > explain the difference of time? > > Is there a way to reduce the duration of the process? I'm regularly working with 8192 bit RSA keys and it takes about 30 seconds to generate one. This is mainly due to the fact that I'm feeding lots of entropy to the kernel from various sources. On Desktop computers and server you usually have quite some sources to choose from, like hard disk timings, network timings, ... On embedded systems in contrast you are lacking most of those entropy sources and thus it takes much longer for OpenSSL to read enough random data. If you want to speed things up you can have a look at Entropy Gathering Daemons like Haveged that try to gether additional entropy and feed it to the kernel. To get back to my example above: Without an entroy gathering daemon on the same hardware takes multiple minutes. So basically: performance is one factor, but a minor one. Much more important - not only for speed, but for security of the generated key - - is sufficient entropy available to the kernel and thus for OpenSSL. If you lack entropy you get Debianized keys. Regards, BenBE. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJTtQ3YAAoJEPHTXLno4S6t6bUP/3U00Lu68oDRHeo8kRXXrRxe 3Ya+yLwRAzFzZr1NxWgGSHamVymTcY2cR2V7J+xHf1adlSelJtFOyO2iRO9riM5a gQry4Jwzb7etVLqO9i2hy9cKz/ZxQhBd+XRrQvPhRUhfpEz+pRfQ+aemgte3BF7i jTmBwDDHXWQUm7mqpBi7niCHq2rK4oMgyXosYInA1sNfsQWtdVFOpIBehuHxSEGs LX1oFdhV7Oc0aLVljOCeEQM5nPMn1aYllKn/W5UPwuKtCmk6G1G46M/9nM7xIjRR BUM/M6mERkzvwSAtHnamZaHfMG6ofm+LI9MoIb+v8ZguMci9WzZu39h54lpT/bk8 EaU0zA8MvBaDRyhtRVwJrNHEuLHWSAvNS4hYPD57t+R8dHQ5NeJ9nVBD+5F778Td CbyrRrrmFP23a0tY4DQBtULaK8CmSdE2W8W3ewSugkrDW04Y3jJD+IVBxcjhBUuD n7R9WBlQ6g6zt3l6gjBbNMB99w95YBdHpdbhvEKilIT/loUnm6YTxiDVtV+SdWgt VExgVjHMH4vXXjmGk8PdVsqD/fEnvDrHurm2Le31czGKX9GMTkAPVhjp1o3JRAZR iWqs/9T1IvULsbRgRU7xCwt3AD5yLCN7wVGsMKDUj7RP8sdEkoIG4Ul2+R/ZE0Cy nG0znvixjFFMk4Bkm9Eg =Cxwn -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
