000028025 - Improving Diffie-Hellman performance in Crypto-J

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000028025
Applies ToCrypto-J 4.1
IssueImproving Diffie-Hellman performance  in Crypto-J
We've observed very poor SunJSSE TLS performance when using ephemeral Diffie-Hellman cipher suites with BSAFE as the most-preferred Security provider. Upon investigation it seems the Diffie-Hellman implementation from the JsafeJCE provider is about 100 times slower than the implementation that comes with the Sun JDK for identical key sizes. The following test code: KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH")

The following code can be used to reproduce this issue:

import java.security.KeyPairGenerator;
import java.security.KeyPair;
import javax.crypto.KeyAgreement;
import javax.crypto.interfaces.*;

/**
 * DHTest
 */
public class DHTest {
 public static void main(String[] args) throws Exception {

  long start = System.currentTimeMillis();
  for (int i = 0; i < 10; ++i)
  {
   KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH");

   // On server
   kpg.initialize(768);
   KeyPair kp1 = kpg.generateKeyPair();
   KeyAgreement ka1 = KeyAgreement.getInstance("DH");
   ka1.init(kp1.getPrivate());

   // On client
   kpg.initialize(((DHPublicKey)kp1.getPublic()).getParams());
   KeyPair kp2 = kpg.generateKeyPair();
   KeyAgreement ka2 = KeyAgreement.getInstance("DH");
   ka2.init(kp2.getPrivate());

   // On server
   ka1.doPhase(kp2.getPublic(), true);
   byte[] serverkeybytes = ka1.generateSecret();

   // On client
   ka2.doPhase(kp1.getPublic(), true);
   byte[] clientkeybytes = ka2.generateSecret();
  }
  long stop = System.currentTimeMillis();
  System.out.print("Milliseconds used: " + (stop - start));
 }
}

CauseThe main reason for the performance difference is that Crypto-J is generating DH domain parameters and Sun uses a default set of DH domain parameters. 
In Crypto-J, when the initialize(int) method is called, a new set of parameters is generated, using specified bit length. On the other hand, the Sun provider fetches a pre-generated set of parameters for the given bit length. Sun caches default parameters for 512, 768 and 1024 bit lengths.
Resolution

To speed up the DH operations with Crypto-J, you can use a pre-generated set of parameters, rather than generating new parameters each time. The application could store these parameters somewhere, and fetch them each time DH key agreement is initialized, passing them to the initialize(AlgorithmParameterSpec) or initialize(AlgorithmParameterSpec, SecureRandom) method.

Crypto-J does not supply any default parameters, but there are some standardized parameters defined in RFC 5114 (http://tools.ietf.org/html/rfc5114).

NotesThere are no security reasons for generating random parameters as opposed to using pre-generated parameters.
Enhancement request BSFCRYJ-785 has been created to track the need to use pre-generated parameters to improve performance.
Legacy Article IDa49157

Attachments

    Outcomes