On Fri, Nov 01, 2024 at 12:45:31PM +0000, Roman Fischer wrote: > I'm not generating a lot of keys… 😉 The last time I used openssl to > generate a keypair it took a few seconds. But of course, you're right, > it scales as it's done on the subscriber side.
It must have been a while since you generated a private key. Here's my (not particularly impressive) home box CPU, which is also doing a bunch of other stuff: $ time openssl genrsa 2048 -----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY----- real 0m0.131s user 0m0.130s sys 0m0.001s $ time openssl genrsa 4096 -----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY----- real 0m1.040s user 0m1.032s sys 0m0.008s $ time openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY----- real 0m0.019s user 0m0.019s sys 0m0.000s $ time openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-384 -----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY----- real 0m0.023s user 0m0.015s sys 0m0.008s $ time openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-521 -----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY----- real 0m0.005s user 0m0.005s sys 0m0.000s EC keys are quick to generate because you don't have to keep rolling the dice until you get two of the "right" numbers. Ironically, a move to shorter certificate lifetimes and preventing the reuse of keys would mean that using smaller-sized (ie quicker to generate) RSA keys would be much safer than they are today. If an attacker can't crack the key within a month (or three), there's no point even trying, because that key will be useless forever more in the WebPKI. We could bring back RSA-1024! :trollface: - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/aae52919-2476-4c8a-b6a8-a373b96c71d4%40mtasv.net.
