On Thu, Aug 22, 2013 at 10:35:33AM -0700, Robert Relyea wrote: > On 08/19/2013 11:06 AM, Kurt Roeckx wrote: > > I understand that ECC might be more secure and is faster, so you want > > to prefer ECC. But currently there aren't many servers that have ECDHE > > yet, so we should be careful what the order is in case it's not > > available and try to use DHE in that case. The current list didn't do > > that but this one does. > > This is ECC marketing. When we did the measurements (10 years ago), RSA > was significantly faster on modern 64-bit machines than ECC at the 1024 > bit level, and a push at the 2048 bit level (this is measuring SSL > connection performance). That is assuming ECDH. ECDHE is 3 times slower > than ECDHE. RSA gets a one for one performance boost every time you > increase the speed of the modular multiply. where as ECC only gets 20% > or so of that.
Some stats I've seen show ECDHE being almost 3 times faster than DHE for 2048 bits. ECDHE is slower than an RSA key exchange, but it's something like 10-20%. > The ECC win is that ECC is more secure at lower key sizes, and it's > security profile is linear. RSA's security profile is exponential: > Example of typical equivalences: > > Symmetric 80 ECC 160 RSA 1024 > Symmetric 128 ECC 256 RSA 2048 > Symmetric 192 ECC 384 RSA 4096 > Symmetric 256 ECC 512* RSA 8K It's not exactly the numbers I've seen, the RSA values I've seen are higher, but I guess this is good enough. No problem with being more conservative. > > I understand that for a 2048 bit public key a 128 bit symmetric key > > should be good enough, but for a 4096 you should have a larger key. I > > see that about 2% is using keys of 4096 bit. > > It's a question of where your weakest link is. 2048 matches better with > 256 than 128. 4096 bit keys are overkill for a server leaf certificate. Not according to your own table above. What I'm saying is that for a 4096 bit RSA key, the 128 symmetric key would be weaker and we probably want to use a 256 key in that case. But for a 2048 bit RSA key a 128 symmetric should be enough. Kurt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
