[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Please discuss: draft-housley-evidence-extns-00

To: mark@xxxxxxxxxxxxxxxxxxxx (Mark Brown)
Subject: Re: [TLS] Please discuss: draft-housley-evidence-extns-00
From: Martin Rex <martin.rex@xxxxxxx>
Date: Mon, 8 Jan 2007 20:28:35 +0100 (MET)
Cc: tls@xxxxxxxx
In-reply-to: <00ab01c7313b$091326b0$6801a8c0@xxxxxxxxx> from "Mark Brown" at Jan 5, 7 08:33:22 pm
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Reply-to: martin.rex@xxxxxxx

Mark Brown wrote:
> 
> Regarding performance estimates, whether you use a FIPS 140 accelerator or
> not, the cost of two digital signatures and the extra TLS Evidence messages
> is less than the 20+ round trips made to load the page, even if the client
> is using multiple connections.  

In the past I have seen 2 measurements with hardware crypto involved in
digital signature generation for use in a backend application server,
and both times, the price was high and the performance was unconvincing.

One was a crypto hardware on a PCI extension board for PCs being used
for an SPKM1 mechanism, and the other was an NCipher crypto box
with SCSI-Interface being used for the Server side of SSL.

The were two problems:

(1) latency setting up the crypto hardware for each individual operation.
    for the SPKM1 mechanism using digital-signature based MICs, this
    resulted in 9milliseconds per message protection call.

(2) doesn't scale as well as multi-core/multi-CPU setups that are
    being used these days.
    I my test setup, a current dual-Xeon (plus HT) running Linux
    machine was just as fast as an older dual-CPU Solaris workstation
    with the SCSI-attached NCipher box.

Longer RSA keys will favour the hardware approach, but still, the
performance/price ratio of the crypto hardware seems to have
difficulty competing with raw CPU horsepower, especially for
blade-size&cost server setups.

The bottleneck in some of the entry-level crypto hardware solutions
might be in the smartcard interface (io speed).

And the performance of serial SmartCard readers for end users
performing RSA crypto operations is > 100x slower than software-based
RSA on a PC, so you really don't want to have any of these participating
every roundtrip of your communication.

Btw. in some scenarios, when clients are authenticated based
on X.509 certs (e.g. on an SSL/TLS Web Server) it might at least as
important to protect the list of trust anchors from tampering
as to guard the servers keypair...

-Martin

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

References:
- RE: [TLS] Please discuss: draft-housley-evidence-extns-00
  - From: Mark Brown

Prev by Date: Re: [TLS] Please discuss: draft-housley-evidence-extns-00
Next by Date: Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
Previous by thread: RE: [TLS] Please discuss: draft-housley-evidence-extns-00
Next by thread: Re: [TLS] Please discuss: draft-housley-evidence-extns-00
Index(es):
- Date
- Thread