[Openswan Users] Rsasigkey problem
Paul Wouters
paul at xelerance.com
Mon Nov 20 12:30:01 EST 2006
On Mon, 20 Nov 2006, conn intel wrote:
> I am using Linux Openswan 2.4.6 (klips) as module. Now I am trying to
> generate rsakeys using following command ::
>
> ipsec rsasigkey 512 > key.txt
The proper way is to do: ipsec newhostkey --outpt /etc/ipsec.secrets
> Now on it took a long time if i change from 512 to 1024 and more even with
> 2048. According to you which value is enough ?.
1024 or 2048.
> And i think when i was using native openswan it took less time, can you
> please clear my doubt ?
The IPsec stack is not used for key creation. It solely depends on the
amount of entropy on your system (ok and a bit of cpu).
> Any other way to get it done fast ??
The fastest way is to buy a VIA CPU with PadLock. Their hardware random number
generator leaves everyone else (including Intel and AMD) in shame:
[root at dnssigner ~]# cat /proc/cpuinfo
processor : 0
vendor_id : CentaurHauls
cpu family : 6
model : 9
model name : VIA Nehemiah
stepping : 8
cpu MHz : 1199.924
Make sure to have the proper hardware rng driver loaded (padlock.ko or
intel_rng.ko or amd_rng.ko) and to be running rngd with the line:
rngd -r /dev/hw_random -o /dev/random
(fedora rpms do not yet start rngd, bug has been filed for this)
then you'll see:
# time ipsec newhostkey --bits 2048 --output /tmp/delme
real 0m8.541s
user 0m8.333s
sys 0m0.032s
That's 8 seconds to generate a 2048 bit RSA key.
You can generate all yout ipsec.secrets files on one machine, and copy
them over, if the target machine is embedded and has practically no
entropy.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list