On 5/1/2011 3:31 AM, derleader mail wrote:
So I need a high performance solution that can handle many connections
with little server load.
1. SSL is a good solution but is not high performance - it's more
suitable for encryption of a web page. When establishing connection more
that 100 connections are used to perform the SSL handshake and is not
suitable for big bynary data.
I don't know where you're getting that from, but it's totally incorrect.
The SSL handshake, if repeated between the same two endpoints multiple
times, is quite high performance because the sessions can be cached. As
for big binary data, why do you think SSL is unsuitable?
2. Symethric encryption is more suitable because it is higth performance
and will scale very well.
SSL is symmetric encryption. PK is used for session setup and key
negotiation, but the encryption of bulk data is symmetric.
I need a high performance optimizad solution.
What is your opinion?
What will be the best approach?
SSL. It's already well-maintained and heavily optimized. It can easily
be proxied without understanding the underlying application protocol.
Padding, message integrity, session caching, authentication and the like
are already done.
As a plus, SSL permits easily adjusting the encryption and
authentication schemes to provide the desired balance between
performance and security. And SSL accelerators are widely available --
for example, newer Intel processors have AES acceleration, so if you use
SSL, those who have them can choose AES as the bulk encryption protocol.
Had you decided on blowfish and locked it in the way you seem to be
planning, it would take significant changes to get the benefit of AES-NI.
Also, you will have a much harder time getting your project accepted if
you just made up the security scheme yourself. The effort required to
ensure the scheme was properly designed and implemented (especially
given all the false starts and misunderstandings so far) would almost
certainly drastically outweigh any hypothetical performance benefit you
might get.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org