search

jruby / jruby-openssl

JRuby's OpenSSL gem
http://www.jruby.org
Other
45 stars 79 forks source link

Improve performance of Diffie-Hellman key exchange #272

Closed steerlink closed 1 year ago

steerlink commented 1 year ago

Resolve the following issues:

  1. SSH connection stucked with NET::SSH_7.0.1 and OpenSSH_8.0 with FIPS enabled
  2. Diffie-Hellman implementation causes key exchange to hang and consume CPU

Improve performance of Diffie-Hellman key exchange by generating a cryptographically strong random number instead of a probable prime. RFC 4419 does not require or suggest x (private key) be prime.

Background
Benchmarks

newplot

☝️ Box plots (log scale) showing how long it takes to generate a probable prime of various bit lengths using the following constructor:

// https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/math/BigInteger.html#%3Cinit%3E(int,int,java.util.Random)
BigInteger(int bitLength, int certainty, Random rnd);

Hoping to get this in the next release of JRuby.

@kares @headius

kares commented 1 year ago

Thanks Sheldon, this is a very good catch!

You're right the prime requirement seems a bit off, looking at history this existed all the way back when the PKeyDH class was introduced: https://github.com/jruby/jruby-openssl/commit/659dd94fdda65041186f86893748a0850d5afb51

I do not see a reason to have it in but would like to spent some time reading the RFC. I was already planning to do a JOSSL release soon, this should definitely be included.

There's still one missing compat feature I'd like to look into, so it might take a week or few...