[prev in list] [next in list] [prev in thread] [next in thread]
List: bouncycastle-crypto-dev
Subject: RE: [dev-crypto] Problem with time used to instantiate RSA Cipher
From: "Michael Saladin" <msaladin () e3ag ! ch>
Date: 2008-10-22 7:26:39
Message-ID: 1F6AD5491A0C6249A07D9AAC43036C99599415 () exchserver ! ch ! e3ag ! net
[Download RAW message or body]
Thanks a lot for all your help, it really has something to do with the
Java VM that I was using.
I develop with Java 1.5_05, and there the time used to call
Cipher.getInstance() takes about 2'500 millis the first time. But when I
switch to VM 1.5_16 or one of the 1.6, I get the result after about 600
millis or after 450 millis (1.6_10). This is much more better.
So shame on me, I should never have used such an old Java on my
development system.
Greetings
Michael
-----Original Message-----
From: David Hook [mailto:dgh@lockboxlabs.com]
Sent: Mittwoch, 22. Oktober 2008 00:47
To: Michael Saladin
Cc: dev-crypto@bouncycastle.org
Subject: Re: [dev-crypto] Problem with time used to instantiate RSA
Cipher
I can't really think of anything BC related that would cause this.
One thing you could try to isolate where the time is going is calling
MessageDigest.getInstance("SHA-1", "BC");
This will invoke the provider via the JCA. My guess is you'll find this
is a lot quicker. What's probably happening is that the JCE validation
of the jar and algorithm is what's churning the time. Moving the
provider jar into jre/lib/ext might also improve things.
Regards,
David
On Tue, 2008-10-21 at 16:14 +0200, Michael Saladin wrote:
> Hi all,
>
> We have a software that consists of a GUI (for the definition of
> something like "actions", and those definitions are stored in a
> database) and a background agent (daemon) that normally has no
> interaction with any user (the agent is used to execute those actions
> that were defined earlier in the GUI).
>
> An enduser makes definitions in the GUI (which stores these
> definitions in the DB) and then can intiate an action out of those
> definitions. No
> problem: The user authentication and authorisation are all done in the
> GUI (and in the database).
>
> We provide another way to initiate an action that can be automated or
> invoked on the command-line: The user can export the definitions from
> the DB into a file, and then use a command-line-tool to execute those
> actions according to the exported file (no connection to the DB is
> necessary).
>
> The last part seems to be of a problem. We want to make sure that the
> file has not been tampered with, and we want to allow the customer to
> use a company private key that those exported files cannot be traded
> with other customers. Therefore, each exported file starts with a
> PREFIX and then contains the definitions (CONTENT).
>
> When exporting:
> 1) The user has to provide a password,
> 2) We create a HASH about the CONTENT
> 3) We combine the HASH of the password and the HASH of the content
> 4) We sign the combined HASH with the companys PRIVATE key
>
> When the user then invokes the command-line-tool (a Java tool), the
> java tool reads the file and then creates the combined HASH of the
> provided password, of the rest of the file (CONTENT), and then checks
> if this is really what is written in the PREFIX of the file. For this,
> it checks the signature (decrypts the PREFIX with the public key).
> That works quite good.
>
> We experienced a problem when we use the SUN JCE. The problem is that
> our software runs on AIX and ZOS/USS as well (besides Windows, Solaris
> and Linux), and there is no SUN VM on those systems, therefore no SUN
> JCE. With the IBM JCE, it did not work. I suppose that the IBM JCE
> provides RSA, but with different padding algorithm, or with different
> block sizes. I did not find any way to export a file with the SUN VM
> and then execute the file with the command-line tool running with the
> IBM VM.
>
> The next thing I did try is to use BouncyCastle. This works great,
> but I need to deliver the external JAR file (1.6 MBytes) with the
> software and I need to make sure that the user has the correct version
> of Java for the JAR file.
>
> This would be possible, but it takes about 2'500 millis just for
> Cipher.getCipher() to return. This is too long for a
command-line-tool.
>
> I tried to find out what takes so long and tried to compile
> bouncycastle to be able to insert System.outs to find out where the
> time is lost. I can compile it and create a JAR file, but the JAR file
> is not signed so I cannot use it. When I sign it with a self-signed
> cert, I get an error telling me that this is not possible (Caused by:
> java.util.jar.JarException:
> file:/C:/apps/tgrid/lib_java/bcprov-jdk15-142b01.jar is not signed by
> a trusted signer).
>
> So I'm a little stuck here. Can anybody explain to me what takes 2'500
> millis at the start when I'm invoking:
>
> Cipher cipher1 = Cipher.getInstance("RSA", "BC");
>
> By the way, it takes almost the same amount of time when I'm invoking
> another cipher algorithm, e.g. DES or IES. But once I have invoked
> getCipher for one algorithm, it is very fast for a subsequent
algorithm.
>
>
> This would be no problem for a server daemon or process running in the
> background and only have an initialization once, but a user assumes
> that a command-line-utility is fast and retruns an answer promptly.
> 2.5 seconds is too long for an ordinary user just to have invoked a
> command with no reply from the program.
>
> Any ideas/help is appreciated.
> Thank you.
> Michael
>
>
>
>
>
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic