[openssl-users] Openssl software failure for RSA 16K modulus

Erwann Abalea Erwann.Abalea at docusign.com
Fri Jul 22 09:59:17 UTC 2016


Bonjour,

Le 22 juil. 2016 à 08:44, Gupta, Saurabh <Saurabh.Gupta at cavium.com<mailto:Saurabh.Gupta at cavium.com>> a écrit :


1: I didn't get it, Why this behaviour is not coming for other ciphers while doing the server/client handshake?

It should fail for other ciphers also.


Ciphers:  working

DHE-RSA-AES128-SHA
ECDHE-RSA-AES256-GCM-SHA384
...... etc

Because the key exchange is performed using DHE or ECDHE here, and parameters are much smaller than your server authentication key.
If you configure a 16k DH group and choose to use DHE as the key exchange algorithm, you’ll surely fall under the same error.

Ciphers: Not working
AES128-SHA
AES256-SHA
...... etc

RSA key exchange.

2: if anyway I want to use 16k modulus, Do we have solution to avoid this issue so that it won't harm to other application or create any new attack?

3: ECC cipher is not my main concerned.

You should be concerned about the security provided by your choices, and not pure raw numbers.


4: I didn't face any issue like memory utilisation or CPU utilisation is more if I'm running more than one client in the case of 16k modulus.

Your measuring tools are bad, change them ;)
Signing with a 16k RSA key is way slower than with a 2048bits key, and again way slower than using ECC.

According to NIST, equivalent « security levels »:
RSA15360, DH15360, ECC512 (or 521)
RSA7680, DH7680, ECC384
RSA3072, DH3072, ECC256

Measurements done on my machine:
Signing with ECDSA over the P521 curve is 600x faster than signing with a 15kRSA key.
Performing a key exchange with ECDH over the P521 curve is about 180x faster than decrypting with a 15k RSA key.

Using the P384 curve and a 7kRSA key, the numbers are 180x faster and 50x faster.
Using the P256 curve and a 4kRSA key, numbers are about 90x faster for both operations.

I don’t have any measurements for DH key exchange, but it should cost twice more than doing a private RSA operation, and also impacts the client, and when used within TLS it comes in addition to an RSA signing operation.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160722/22c74b70/attachment-0001.html>


More information about the openssl-users mailing list