Heuristically picking # of bits forgnutls_dh_params_generate2

Sam Varshavchik mrsam at courier-mta.com
Sat Dec 10 20:47:29 CET 2011


Kamenik, Aleksander writes:

> Not enough entropry maybe, it's usually quite low on VMs. Input devices and  
> network traffic should/might help.
>
> cat /proc/sys/kernel/random/entropy_avail to check, compare that with the  
> host OS.

Thanks, but this is not Linux, and entropy is not the issue here.

> Regards,
>
> Aleksander Kamenik
> System Administrator
> Krediidiinfo AS
> an Experian Company
> Phone: +372 665 9649
> Email: aleksander at krediidiinfo.ee
>
>
> > -----Original Message-----
> > From: help-gnutls-bounces+aleksander.kamenik=krediidiinfo.ee at gnu.org
> > [mailto:help-gnutls-bounces+aleksander.kamenik=krediidiinfo.ee at gnu.org]
> > On Behalf Of Sam Varshavchik
> > Sent: Saturday, December 10, 2011 6:42 PM
> > To: help-gnutls at gnu.org
> > Subject: Heuristically picking # of bits forgnutls_dh_params_generate2
> >
> > Does anyone happen to know of a good heuristic to come up with some
> > reasonable number of bits at runtime that I can give to
> > gnutls_dh_params_generate2, and have reasonably odds of coming up with
> > a DH pair in, maybe, 5-10 seconds.
> >
> > I was hacking on some code in a 32 bit guest VM, and I thought that I
> > was corrupting something, because gnutls_dh_params_generate2 was
> > seemingly getting stuck, spinning forever. But it turns out that it was
> > really just very, very slow.
> >
> > I don't think it's the VM itself, it seems to run reasonably well to
> > me.
> > Regular compiles get completed at a fairly reasonable pace. I don't
> > know if it's just that gmp is slow on i686, if something is not right
> > with the rnd generator, or something other reason. I'm just used to my
> > native x86-64 bare metal cranking out a key at a good clip. After
> > feeding 2048 bits to
> > gnutls_dh_params_generate2 it cranks something out in only a few
> > seconds.
> >
> > But, for whatever reason may be, flipping over to an i686 guest VM, and
> > gnutls_dh_params_generate2 runs slow as molasses. I'm clocking a 1024
> > bit run of gnutls_dh_params_generate2 to take several minutes long,
> > typically.
> > Sometimes I get lucky, and come up with a 1024-bit based parameter in
> > 5-10 seconds. But my last two runs took a minute and a half, and over
> > three minutes, each, and that's typical. With GNUTLS_SEC_PARAM_NORMAL
> > telling me that I should use 3072 bits, that'll probably take a day.
> >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20111210/b92f84a1/attachment.pgp>


More information about the Gnutls-help mailing list