SSH2 会话中计算成本最高的步骤是什么?
我试图弄清楚在 SSH2 密钥交换/身份验证/会话初始化中到底是什么使用了最多的 CPU。我正在针对嵌入式 CPU 对其进行优化,目前会话初始化似乎是最大的瓶颈。具体来说,我使用带有 RSA 密钥对的 dropbear 服务器。 RSA 或其部分之一是否需要大量 CPU 处理能力?
谢谢!
I'm trying to figure out what exactly uses the most CPU in a SSH2 key-exchange/authentication/session initialization. I'm optimizing it for an embedded CPU, and currently session initialization seems to be the biggest bottleneck. Specifically, I'm using dropbear server with RSA keypair. Does RSA or one of its parts require significant CPU power?
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
SSH2 密钥交换中最昂贵的三个操作是(在服务器上):
第三个操作的速度要快得多,因为客户端使用 RSA 密钥对:RSA 签名验证非常快,而 DSA 签名验证成本高昂(实际上比 DSA 签名生成更昂贵) em>)。
DH 是通过两个组之一完成的,分别是 SSH 规范(第 8 节)。后者使用 2048 位模数,而前者则坚持 1024 位模数。预计较大的模数意味着 DH 成本是较小模数的 4 到 8 倍。然而,1024 位 DH 被认为与 1024 位 RSA 一样安全,因此,不建议用于长期安全(并且在 SSH 中,DH 用于获取实际的加密密钥;因此,您希望 DH 能够抵制,因为通过 SSH 连接交换的数据必须保密)。
同样,RSA 签名生成成本主要是密钥大小的立方:2048 位 RSA 签名生成所需的 CPU 大约是 1024 位 RSA 签名生成所需 CPU 的 8 倍。 DSA 签名生成可能比 RSA 签名生成快一些(可能快两倍)。
因此,更快的标准 SSH2 服务器 操作的建议是:
diffie-hellman-group1-sha1进行密钥交换(如果您可以容忍不是最佳的安全性);一些 SSH 实现(特别是较新版本的 OpenSSH)支持 ECDSA 签名,并且可以使用 ECDH(椭圆曲线上的 Diffie-Hellman)代替普通 DH。 ECDSA 和 ECDH 应该分别比 DSA 和 DH 快得多。此外,256 位椭圆曲线上的 ECDSA 和 ECDH 应能实现适当的长期安全性。在 OpenSSH 中,您可以通过将
KexAlgorithms服务器选项设置为ecdh-sha2-nistp256来为 ECDH 选择这样的曲线;和 ssh-keygen -t ecdsa -b 256 会在同一曲线上生成 ECDSA 密钥对。因此,更快的 OpenSSH 服务器操作的建议是:
为了加快客户端操作速度,请颠倒客户端和服务器密钥对上的条件。
The three most expensive operations in a SSH2 key exchange are (on the server):
The third operation is made much faster is the client uses a RSA key pair: RSA signature verification is very fast, whereas DSA signature verification is expensive (actually somewhat more expensive than DSA signature generation).
The DH is done over one of two groups, called
diffie-hellman-group1-sha1anddiffie-hellman-group14-sha1in the SSH specification (section 8). The latter uses a 2048-bit modulus, whereas the former sticks to a 1024-bit modulus. It is expected that the bigger modulus implies a DH cost between 4 and 8 times bigger than the smaller. However, 1024-bit DH is deemed to be about as secure as 1024-bit RSA, and, as such, not recommended for long-term security (and in SSH, the DH is used to obtain the actual encryption key; hence, you want the DH to resist for as lng as the data which was exchanged through the SSH connection must remain confidential).Similarly, RSA signature generation cost is mostly cubic in the key size: a 2048-bit RSA signature generation takes about 8 times the CPU than what a 1024-bit RSA signature generation requires. A DSA signature generation could be somewhat faster than a RSA signature generation (maybe up to twice faster).
So the recommendations for faster standard SSH2 server operation would be:
diffie-hellman-group1-sha1for key exchange (if you can tolerate the not optimal security);Some SSH implementations (in particular newer versions of OpenSSH) support ECDSA signatures, and may use ECDH (Diffie-Hellman on an Elliptic Curve) instead of plain DH. ECDSA and ECDH should be way faster than, respectively, DSA and DH. Moreover, ECDSA and ECDH over a 256-bit elliptic curve should achieve proper long-term security. In OpenSSH, you select such a curve for ECDH by setting the
KexAlgorithmsserver option toecdh-sha2-nistp256; andssh-keygen -t ecdsa -b 256will produce an ECDSA key pair on the same curve.So the recommendation for faster OpenSSH server operation are:
ecdh-sha2-nistp256for key exchange;For faster client operation, reverse the conditions on client and server key pairs.