Heuristically picking # of bits forgnutls_dh_params_generate2

Kamenik, Aleksander aleksander.kamenik at krediidiinfo.ee
Sat Dec 10 18:17:13 CET 2011


Not enough entropry maybe, it's usually quite low on VMs. Input devices and network traffic should/might help.

cat /proc/sys/kernel/random/entropy_avail to check, compare that with the host OS.

Regards,

Aleksander Kamenik
System Administrator
Krediidiinfo AS
an Experian Company
Phone: +372 665 9649
Email: aleksander at krediidiinfo.ee


> -----Original Message-----
> From: help-gnutls-bounces+aleksander.kamenik=krediidiinfo.ee at gnu.org
> [mailto:help-gnutls-bounces+aleksander.kamenik=krediidiinfo.ee at gnu.org]
> On Behalf Of Sam Varshavchik
> Sent: Saturday, December 10, 2011 6:42 PM
> To: help-gnutls at gnu.org
> Subject: Heuristically picking # of bits forgnutls_dh_params_generate2
> 
> Does anyone happen to know of a good heuristic to come up with some
> reasonable number of bits at runtime that I can give to
> gnutls_dh_params_generate2, and have reasonably odds of coming up with
> a DH pair in, maybe, 5-10 seconds.
> 
> I was hacking on some code in a 32 bit guest VM, and I thought that I
> was corrupting something, because gnutls_dh_params_generate2 was
> seemingly getting stuck, spinning forever. But it turns out that it was
> really just very, very slow.
> 
> I don't think it's the VM itself, it seems to run reasonably well to
> me.
> Regular compiles get completed at a fairly reasonable pace. I don't
> know if it's just that gmp is slow on i686, if something is not right
> with the rnd generator, or something other reason. I'm just used to my
> native x86-64 bare metal cranking out a key at a good clip. After
> feeding 2048 bits to
> gnutls_dh_params_generate2 it cranks something out in only a few
> seconds.
> 
> But, for whatever reason may be, flipping over to an i686 guest VM, and
> gnutls_dh_params_generate2 runs slow as molasses. I'm clocking a 1024
> bit run of gnutls_dh_params_generate2 to take several minutes long,
> typically.
> Sometimes I get lucky, and come up with a 1024-bit based parameter in
> 5-10 seconds. But my last two runs took a minute and a half, and over
> three minutes, each, and that's typical. With GNUTLS_SEC_PARAM_NORMAL
> telling me that I should use 3072 bits, that'll probably take a day.
> 



More information about the Gnutls-help mailing list