On Jan 21, 2:36 pm, Nelson Bolyard <nonelsons...@nobolyardspam.me> wrote: > Jean-Daniel wrote to mozilla.dev.security on 2009-01-20 10:42 PST: > > > Hello, I'm trying to generate a keypair using nss, but I encounter some > > issue. My key generation can take up to 30 seconds on a recent machine > > (Core 2 Duo 2.2 Ghz) (most generation take less the 10 seconds, and > > sometimes less than 5 seconds, but even 10 seconds is more than what I > > expect). > > What version of NSS?
NSS 3.12 with NSPR 4.7 (the nss-3.12-with-nspr-4.7 source package). > What OS? Mac OS 10.5.6 (darwin 9.6.0) > Can you list the .o (or .obj) files built under nss/lib/freebl/* in Darwin_SINGLE_SHLIB: aeskeywrap.o alg2268.o alghmac.o arcfive.o arcfour.o camellia.o des.o desblapi.o dh.o dsa.o ec.o freebl.def freeblver.o ldvector.o libfreebl3.dylib md2.o md5.o mp_gf2m.o mpcpucache.o mpi.o mplogic.o mpmontg.o mpprime.o pqg.o prng_fips1861.o rawhash.o rijndael.o rsa.o sha512.o sha_fast.o shvfy.o sysrand.o tlsprfalg.o For instance, the compiler invocation for mpprime.c is the following one (other freebl objects are compiled using the same flags): cc -o Darwin9.6.0_OPT.OBJ/Darwin_SINGLE_SHLIB/mpprime.o -c -O2 -fPIC - Di386 -Wmost -fpascal-strings -fno-common -pipe -DDARWIN - DHAVE_STRERROR -DHAVE_BSD_FLOCK -DXP_UNIX -DSHLIB_SUFFIX=\"dylib\" - DSHLIB_PREFIX=\"lib\" -DSHLIB_VERSION=\"3\" -DSOFTOKEN_SHLIB_VERSION= \"3\" -DRIJNDAEL_INCLUDE_TABLES -UDEBUG -DNDEBUG -DUSE_UTIL_DIRECTLY - DMP_API_COMPATIBLE -I../../../../dist/Darwin9.6.0_OPT.OBJ/include - I../../../../dist/public/nss -I../../../../dist/private/nss -Impi - Iecl mpi/mpprime.c > > > Did I miss something. Is there any magic flag to improve this ? Or a > > faster RSA keygen function in nss ? > > I have an AMD Athlon 64 running at 2.2 Ghz. I did a test generating a > bunch of 2k bit RSA key pairs. I repeatedly executed the command > time certutil -d DB -G -g 2048 -f pwfile -z noisefile > > I found that average time was 2 seconds, maximum was 17 seconds, minimum was > under 1/2 second. These seem like expected/normal times to me. I'm > surprised that your system is taking much longer. > > Generating a 2k bit RSA key requires finding two 1k bit prime numbers. > At that size, prime numbers are pretty sparse and it can take a long > time, sifting through lots of numbers, to find a prime that big. There > is natural variability in that process because prime numbers are not > uniformly distributed in the number space. But still, I don't expect > your times to be a large multiple of my times, given similar CPUs and > speeds. > > Please follow up in the mozilla.dev.tech.crypto news group. I did an other simple test that call SECKEY_CreateRSAPrivateKey() in a loop and then call the OpenSSL equivalent to compare both functions. NSS does not perform as bad as I thought first, but it remain slower than what I expect on a modern machine. See the result for 20 loops: ----------- NSS ----------- average: 5714 ms min: 1240 ms, max: 15160 ----------- OpenSSL ----------- average: 1646 ms min: 385 ms, max: 4744 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
