| Re: draft-urien-eap-smartcard-06.txt | <– Date –> <– Thread –> |
From: Pascal Urien (Pascal.Urien enst.fr)
|
|
| Date: Fri, 20 Aug 2004 12:39:54 -0400 (EDT) | |
Hi Thomas
At 18:00 20/08/2004 +0200, Thomas Otto wrote:
That's correct.
Most of the time is spent in digests functions
Smartcard is usually a 10 MHz 8bit micro-controller including a crypto-processor..
Pascal
At 18:00 20/08/2004 +0200, Thomas Otto wrote:
Hi Pascal,
I just had a look at your website ... Under the headline "the first EAP-TLS smartcard is operational in the ENST Wi-Fi network" you provide an ethereal packet dump of a full EAP-TLS authentication. I measured the total time of this conversation. The time difference between EAP-Request/Identity at 17:46:21 and EAP-Success at 17:46:58, are 37 seconds.
That's correct.
More precisely, the client needs almost 30 seconds to send ClientKeyExchange, CertificateVerify, and ChangeCipherSpec (in frame 52), where I remember ClientKeyExchange requires the 48 byte premaster secret. (which requires expensive computations ..)
This step cost around 1x RC4, 3x RSA-1024 and about 1000 x MD5&SHA1 512bits- blocks computation.
Most of the time is spent in digests functions
So, is there hope for a speedup or is EAP-TLS not suitable for the EAP smartcard? How much Java influences this duration?
Usually digests functions are not supported by crypto processors and are directly computed by 8 bit micro-controllers, that why they are slow.
Some crypto algorithms like RC4, HMAC-MD5, HMAC-SHA1, TLS-PRF are written in java card language. The solutions in order to dramatically decrease the computing time are the following
- using smart cards with crypto processors supporting digests functions - defining java card API for HMAC-MD5, HMAC-SHA1 and TLS-PRF (in progress ...)
In contrast to this, as answer to "Are smartcards performances sufficient ?" we get the information, "Usually smart cards include crypto-processors that compute the RSA 2048 bits algorithm in less than 0,5s."
All crypto processors supports RSA. RSA is not an issue for smart cards.
This is great, so I suppose the card above lacks of such a crypto-processor ?
As i mentioned it above, RSA is not an issue. Digests functions are the main bottleneck performances
May I compare this to the running time of my implementation of EAP-PSK, which took for a full authentication only 0.75 seconds. There is a strange 0.25 second delay between Identity Request and Response, so essentially we have 0,5 seconds for the protocol. By the way, the notebook used for this test was nothing special, just a 4year old 400 MHz machine ;-)
Smartcard is usually a 10 MHz 8bit micro-controller including a crypto-processor..
AES is supported by javacard 2;2. I have not yet performances figures for EAP-PSK, it seems compatible with existing components.
Thomas
Pascal
References [1] http://www.infres.enst.fr/~urien/security/eap-tls-trace.pdf [2] http://t13.mine.nu/EAP-PSK/020604-eappsk.pcap _______________________________________________ eap mailing list eap [at] frascone.com http://mail.frascone.com/mailman/listinfo/eap
-
draft-urien-eap-smartcard-06.txt Pascal Urien, August 19 2004
-
Re: draft-urien-eap-smartcard-06.txt Thomas Otto, August 20 2004
- Re: draft-urien-eap-smartcard-06.txt Pascal Urien, August 20 2004
- Re: draft-urien-eap-smartcard-06.txt Mohamad Badra, August 20 2004
-
Re: draft-urien-eap-smartcard-06.txt Thomas Otto, August 20 2004
Results generated by Tiger Technologies using MHonArc.