[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Jessie-discuss] FYI: Diffie Hellman parameters
From: |
Martin Egholm Nielsen |
Subject: |
Re: [Jessie-discuss] FYI: Diffie Hellman parameters |
Date: |
Wed, 12 Oct 2005 09:24:08 +0200 |
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050319 |
Hello Casey,
I've noticed that the default Diffie Hellman parameters -- "group 18"
-- take a very long time to create session keys, even when run compiled
with GCJ. This causes Firefox to time out (Mozilla browsers use DH key
exchanges before RSA ones, it seems).
Hear!
These parameters are very large, so it is probably one of:
- A really slow random number generator.
- A really slow BigInteger implementation.
that's causing this problem (I'm pretty sure Classpath has both of
these).
And Sun's VM, as well... Running on a P4 I'm seeing this...
> The solution is to specify a different group with the
"jessie.key.dh.group" security property, e.g.:
Security.setProperty ("jessie.key.dh.group", "5");
This comes at a cost of security margin (smaller numbers use smaller
primes), but for most applications, group 5 is probably good enough.
Tadaaah!! It works!
I can now remove my silly exclusions:
if (allCiphers[i].endsWith("_DHE_RSA_WITH_AES_256_CBC_SHA")
|| allCiphers[i].endsWith("_DHE_RSA_WITH_AES_128_CBC_SHA")
|| allCiphers[i].endsWith("_DHE_RSA_WITH_3DES_EDE_CBC_SHA")
|| allCiphers[i].endsWith("_DHE_RSA_WITH_DES_CBC_SHA"))
{
// Remove the cipher...
} // if
Though not tested on my embedded target (133mhz ppc + GCJ) yet...
I'm going to change the default group to something smaller; group 5
looks good to me, a key exchange takes about 3sec with GCJ BC- compiled
GNU Crypto and Jessie.
Super!
Thanks Casey - you're the best!
// Martin