Menu
▾
▴
Re: [Ejbca-develop] More on 4096 bit keys
|
From: Tomas G. <to...@pr...> - 2004-06-07 06:47:03
|
You don't say whan 1, 2, 3 and 4 below means? Note though, that EJBCA creates two keypairs when creating a new CA, so longer time than generating a single keypari is expected. Cheers, Tomas Ken Gunderson wrote: >On Sunday 06 June 2004 01:10 pm, Tomas Gustavsson wrote: > > >>It might have something to do with the crypto-apckage we're using, >>BouncyCastle. I'll forward the message to their mailing list to get >>an answer. 4096 bits shoudl take quite a bit longer than 2048. How >>logn does it take for OpenSSL? >> >>Cheers, >>Tomas >> >> > >I) OpenSSL > >2.8 GHz Xeon- FreeBSD 4.9-RELEASE-p5 > >1- 30 sec. >2- 60 sec. >3- 70 sec. > >Ran more tests on PIII-700- FreeBSD 5.2.1-RELEASE-p8 > >1- 30 sec >2- 2 min >3- 2 min >4- 15 sec > >Between test 3 & 4 I "seeded" /dev/random with a lot of keyboard >activity, multiple logins, a find running on one, top on another, >reading obscure man pages on another. So the nic was busy shuttling >packets to all the logins. I also pointed a ping at it. PII > >Xeon machine is FBSD-4.9 and apparently not tuned to collect the >entropy, and I couldn't get 15 sec result playing the same games I did >prior to test 4 on PIII machine. > >I wonder if this may have something to do with the "quality" of >randomness in /dev/random degrading after creating multiple keys and >then it needs to "wait" to collect sufficient amount to generate the >next set?? > >On PIII machine: > >rootshell# sysctl kern.random >kern.random.sys.seeded: 1 >kern.random.sys.harvest.ethernet: 1 >kern.random.sys.harvest.point_to_point: 1 >kern.random.sys.harvest.interrupt: 1 >kern.random.sys.harvest.swi: 0 >kern.random.yarrow.gengateinterval: 10 >kern.random.yarrow.bins: 10 >kern.random.yarrow.fastthresh: 192 >kern.random.yarrow.slowthresh: 256 >kern.random.yarrow.slowoverthresh: 2 > >man 4 random points me at <http://www.schneier.com/yarrow.html> for more >info on yarrow controls... > >Xeon machine doesn't sport those knobs... > >II) Ejbca > >Xeon machine > >1- 4096 bit self signed root ca- 3 min. 35 sec. >2- 4096 bit sub ca signed by #1, about the same. > > > |
