Re: [IPsec] DH keys calculation performance
"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Tue, 26 July 2011 15:13 UTC
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E724521F8834 for <ipsec@ietfa.amsl.com>; Tue, 26 Jul 2011 08:13:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lFBC7tbVr8US for <ipsec@ietfa.amsl.com>; Tue, 26 Jul 2011 08:13:38 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 2E46321F854D for <ipsec@ietf.org>; Tue, 26 Jul 2011 08:13:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=sfluhrer@cisco.com; l=2495; q=dns/txt; s=iport; t=1311693218; x=1312902818; h=mime-version:content-transfer-encoding:subject:date: message-id:in-reply-to:references:from:to:cc; bh=aAy3FOgsu2TLlswQFiCaQNMNKnoQYp0EkJkujxYL09s=; b=BVPnJD7tbGEuFshwzI3Pk0a2xIwYz8W5+hGQe5umbJhD8K01HtABEm5r CapyR76xQvyiGXMae2HAOuw31qNdL+jJFGnuwCbJjJ16Qk01N+CMSb7cl xqwHkOK7NvskuPdsLt/8Pshaa7Jj88nvAF8jASQ7RS9wFKgyuz14VJ5y1 w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Au4AAKXYLk6rRDoJ/2dsb2JhbAA2AQEBAQMUASEKNw4MBQIBCQ4DBAEBAQoGIwEGARM7DggBAQUBFgwbl1yPWnerfp5ghWFfBIdXkCuLcA
X-IronPort-AV: E=Sophos;i="4.67,269,1309737600"; d="scan'208";a="6521648"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by rcdn-iport-9.cisco.com with ESMTP; 26 Jul 2011 15:13:37 +0000
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p6QFDbqP029388; Tue, 26 Jul 2011 15:13:37 GMT
Received: from xmb-sjc-23e.amer.cisco.com ([128.107.191.15]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 26 Jul 2011 08:13:37 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 26 Jul 2011 08:13:33 -0700
Message-ID: <EE0C2F9E065E634B84FC3BE36CF8A4B2075E3BC0@xmb-sjc-23e.amer.cisco.com>
In-Reply-To: <90AEF529-7273-4695-BA31-4F221A4ACF45@checkpoint.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [IPsec] DH keys calculation performance
Thread-Index: AcxLgGtt7Mr1sXbTTLCdSZY1cCxZ2AAIzL6Q
References: <20013.29623.491247.654466@fireball.kivinen.iki.fi><B97B134FACB2024DB45F524AB0A7B7F203ED2B05@XMB-BGL-419.cisco.com> <90AEF529-7273-4695-BA31-4F221A4ACF45@checkpoint.com>
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Yoav Nir <ynir@checkpoint.com>, "Prashant Batra (prbatra)" <prbatra@cisco.com>
X-OriginalArrivalTime: 26 Jul 2011 15:13:37.0054 (UTC) FILETIME=[97CFE3E0:01CC4BA6]
Cc: ipsec@ietf.org
Subject: Re: [IPsec] DH keys calculation performance
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2011 15:13:39 -0000
> -----Original Message----- > From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf > Of Yoav Nir > Sent: Tuesday, July 26, 2011 6:40 AM > To: Prashant Batra (prbatra) > Cc: ipsec@ietf.org > Subject: Re: [IPsec] DH keys calculation performance > > > On Jul 25, 2011, at 11:29 PM, Prashant Batra (prbatra) wrote: > > > Hello, > > > > The DH exchange (Calculation of Public/Private key and the Secret) in > > IKEV2 Initial exchange > > seems to be very expensive. This is slowing down the overall IKEv2 > > tunnel establishment. > > Is there a way to optimize it? > > Hi Prashant. > > I know of three ways to optimize the D-H exchange. > > First, note that each peer has to perform two operations: > > Second, note that 2^73 mod p = ((2^64 mod p) * (2^8 mod p) * (2^1 mod > p)) mod p If you're using a 2048-bit D-H group, you can pre-calculate > 2^x mod p for 0<=x<=2048 and store these values. Surely, you mean something like 0<=x<320 or so. When you create a DH shared secret for a MODP group, it is pointless to create a secret as big as the prime. Against DH, there are two known types of attacks: (A) Attacks that take time based on the modulus (and don't depend on the value of the exponent at all) (B) Attacks that take time based on the exponent (and don't depend that much on the value of the modulus) What you want to do is pick your exponent just large enough that (B) attacks take about as long as (A) attacks; making the exponent any larger than that will make it more expensive for you without making it any more secure (because an attacker can just go ahead with an (A) attack); while making it smaller will make it less secure (because a (B) attack becomes easier). So, what's the size of such an exponent? Well, that's a difficult question; however, the RFC's do give guidance. If you're using a 2048 bit exponent for 2048 bit MODP group, that's an obvious thing to fix. If we look at RFC3526, we see that it suggests an exponent of length of between 220 and 320 bits (it's a range because experts have different estimates of how difficult type (A) attacks are). Also, if you're doing groups 22-24, then it's easy; use an exponent of the same size as 'q' (that'd be 160, 224 and 256 bits); a larger exponent is pointless. And, for completeness, for a ECDH group, it's also easy; use an exponent of the same size as the curve (e.g. 256 bits for the P256 curve).
- [IPsec] New Version Notification for draft-kivine… Tero Kivinen
- [IPsec] DH keys calculation performance Prashant Batra (prbatra)
- Re: [IPsec] DH keys calculation performance Vishwas Manral
- Re: [IPsec] DH keys calculation performance Yoav Nir
- Re: [IPsec] DH keys calculation performance Yaron Sheffer
- Re: [IPsec] DH keys calculation performance Prashant Batra (prbatra)
- Re: [IPsec] DH keys calculation performance Dan Harkins
- Re: [IPsec] DH keys calculation performance Scott Fluhrer (sfluhrer)
- Re: [IPsec] DH keys calculation performance Yoav Nir
- Re: [IPsec] DH keys calculation performance Hugo Krawczyk
- Re: [IPsec] DH keys calculation performance Scott Fluhrer (sfluhrer)
- [IPsec] IPSec implementation query. Prashant Batra (prbatra)
- Re: [IPsec] DH keys calculation performance Naveen B N (nbn)
- Re: [IPsec] DH keys calculation performance Naveen B N (nbn)
- Re: [IPsec] DH keys calculation performance Scott Fluhrer (sfluhrer)
- Re: [IPsec] DH keys calculation performance Naveen B N (nbn)
- [IPsec] New method to resist replay attack in ike… ramaswamy
- Re: [IPsec] DH keys calculation performance Scott Fluhrer (sfluhrer)
- Re: [IPsec] DH keys calculation performance Naveen B N (nbn)
- Re: [IPsec] Perfect Forward secrecy Naveen B N (nbn)
- Re: [IPsec] Perfect Forward secrecy Yoav Nir
- Re: [IPsec] Perfect Forward secrecy Dan Harkins
- Re: [IPsec] Tokes = Session key + lifetime Naveen B N (nbn)
- Re: [IPsec] Perfect Forward secrecy Stephen Kent
- Re: [IPsec] Avoid multiple authentication's Naveen B N (nbn)
- Re: [IPsec] Avoid multiple authentication's Yaron Sheffer
- Re: [IPsec] Avoid multiple authentication's Naveen B N (nbn)
- [IPsec] New method to resist replay attack in ike… Tero Kivinen
- Re: [IPsec] New method to resist replay attack in… ramaswamy
- Re: [IPsec] New method to resist replay attack in… Tero Kivinen
- Re: [IPsec] New method to resist replay attack in… ramaswamy
- Re: [IPsec] New method to resist replay attack in… ramaswamy
- Re: [IPsec] New method to resist replay attack in… ramaswamy