2011/4/16 Chris Hill <chris.hill...@gmail.com>: [...] > SSL handshakes take more processing power in the server side than on the > client side (some commented in the order of 15x more). This is great news > for attackers who want to take down a site and the work has already be done > for them through recent exploits developed by the THC (exploiting > specifically the fact that a single workstation can initiate 200-1000 secure > renegotiations per second and take down a robust sites).
This 15x between server and client is for a small modulus key (<1024). As the modulus gets larger, the ratio grows also. On my Core i5 Mac, the ratio is 35x for a 2048bits RSA key. This is also valid only for RSA, and only for "classic" keys, ones with a small exponent. Switch to DSA, and verification takes more time than signature. Switch to ECDSA, and you'll even reduce your CPU usage. That will cost you a DH/ECDH key agreement, but with the actual version of thc-ssl-dos, the client will also suffer from it. If you're afraid some of your clients don't know DSA/ECDSA, then stay with RSA, but generate a key with a large public exponent (make it the same size as the modulus). That way, encryptions and verifications (done on client side) won't be accelerated, and the ratio is no more 35x, but only 1.4x (fast measurement on my machine, unoptimized). I'm sure one can gain a little bit more, maybe even reverse the speed ratio. -- Erwann.
