开发者

Which it better? Pre-generate asymmetric keys or generate them in real-time?

Assuming a keystore is se开发者_如何学Pythoncure and one needs to service around a million keys, is it better to generate asymmetric keys in real-time or is it better to generate a bunch of keys and store them to be used as and when required?

Edit 1: By real time I mean generate a key pair when a user registers for the first time, from then on that key pair is used for all communication with the user.


Asymmetric keys have a public part and a private part; the public part is used to perform the operation which complements that which is done with the private part (e.g. you sign with the private key, and you verify the signature with the public key; or you encrypt data with the public key, and decrypt it with the private key). The point of asymmetric keys is that the private and public parts can be known by distinct entities; namely, that the public part is, well, public (everybody knows it) while the private part remains private.

Consequently, generating an asymmetric key "in real-time" makes little sense in most situations: what gives some value to a private key is that the public key is already known to some other party.

One can still imagine some situations in which "real-time" generation of asymmetric keys can be of use. For instance, SSL connections using one of the "ephemeral Diffie-Hellman" cipher suites: the DH keys, which can be called "asymmetric", are generated for each connection, the public part being then signed by the server (with another asymmetric key, which is not generated on-the-fly: the public key is the one in the server certificate) and then sent to the connecting client. In such a situation, pre-generating DH key pairs and storing them could be viewed as a kind of optimization, but a bad one since DH key pair generation is very fast, and private key storage is a complex and delicate issue.

Edit: if your problem is about key generation upon user registration vs key generation and storage in advance: assuming that server-side key generation is indeed what you want, key generation and storage in advance is worthwhile only as an optimization, if on-the-fly generation proves to be too expensive to handle peaks (occasionally, many users trying to register at the same time). I suggest that you try and bench and make sure that the problem really exists, before implementing a "solution", because private key secure storage is somewhat tricky. RSA key generation is quite fast (on a basic PC, you can easily generate a dozen RSA keys per second), and with discrete-log (DSA, Diffie-Hellman, El-Gamal) or elliptic-curve based cryptosystems, it is even considerably faster (e.g. ten thousands new EC key pairs per second, with a PC).

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜