offline keygeneration
Prasad
ndprasad at gmail.com
Tue Sep 26 03:26:10 WST 2006
Hi matt,
I was checking thro the code to figure out how to make it run faster
(I am using dss hostkey now). I found that gen_kexdh_vals (&dh_f,
&dh_y) takes about half of the time. So i wrote a task to pre-generate
that when the system is not doing anything else and write it in a tmp
file. This improves the speed by twice (since dropbear reads the keys
from the file when the connection request comes).
Now i have few questions, assuming i am going to use dropbear sparsely
just to set few parameters.
1) Is this method right?
2) How far is this secure? Assuming i regenerate the key after say 5
minutes of the current login for the purpose of next login. (Till that
time if any other login request comes, it can use the same key).
3) The task i wrote does the following initialization,
seedrandom();
reseedrandom ();
crypto_init()
m_mp_init_multi(&dh_priv, &dh_pub, NULL);
before calling gen_kexdh_vals (&dh_f, &dh_y). Should i need to add any
more of initilisation for offline keygeneration.
4) It also fails few times with this method (need to investigate why)
Appreciate your response,
Thanx
- Prasad
On 7/19/06, Matt Johnston <matt at ucc.asn.au> wrote:
> On Tue, Jul 18, 2006 at 06:53:18PM -0700, Prasad wrote:
> > The only problem now i have is that the entire process is really slow
> > until i get the login. I takes about 90 secs for me to get the shell.
> > (With or with-out the changes for my own interpreter). After i get
> > login everything is pretty fast. The size of the SSH key is 1024 bit.
> > (512 bytes reduces the time by about 60 secs).
> >
> > Doing a quick check, majoriy of the time taken was in mp_exptmod()
> > routine with each call takes around 25 secs. I am running my
> > processor(microblaze) at about 60mhz with hardware multipler, divider
> > enabled.
> >
> > >From your knowledge, Is there any way to accelerate this in software
> > or the only way to increase this is by hardware-acceleration?
>
> Using a DSS hostkey might be faster than RSA, you could try
> that. I assume you're already compling with -O2 (or whatever
> works for your platform) - that can make a big difference.
> Aside from that, I'm not really sure. Looking at a faster
> math library (or optimising LibTomCrypt) could be an option.
> It looks as if TomsFastMath might be a fairly easy
> replacement, though I'm not sure how portable or mature that
> is.
>
> Cheers,
> Matt
>
>
More information about the Dropbear
mailing list