How Long Does It Take to Generate an Asymmetric Cryptography Key Pair?
This is part 3 of using Public Key Infrastructure (PKI) and Private Key Cryptography for your Windows Server 2012 environment.
Part 1: Selecting a Key Size for Your Root Certificate Server in Windows Server 2012 AD CS.
Part 2: Selecting a Cryptographic Key Provider in Windows Server 2012 AD CS.
In this post, we’ll look at the time involved to generate asymmetric key pars.
Many technologies use asymmetric, or public-private key cryptography today. If you’re using Public Key Infrastructure (PKI), IP Security (IPSec), virtual private networking (VPN), or even a secure web site that supports SSL, you’re using asymmetric key cryptography.
At the outset, asymmetric key cryptography was devised as an infrequent-use solution because of two important limitations:
- Creating an asymmetric key pair is mathematically intensive
- Asymmetric key cryptography is not efficient on large amounts of data
It is this first limitation that I’m addressing in this blog.
In brief, generating a useful key pair today is a nearly trivial operation that takes very little time and resources.
Timing Key Generation
To dispel this myth I used two scenarios:
- Windows Server 2012 Active Directory Certificate Services generating a 2048-bit RSA key for a self-signed certificate. This is on a single-CPU server with 2048MB of RAM running inside VMware.
- OpenSSL generating a similar 2048-bit RSA key on an Intel i7 3.6Ghz with 32MB of RAM.
I chose these two scenarios because of their diversity. The first is a more common IT scenario with limited resources and the test is being run inside a guest operating system with its associated resource overhead. The second is a streamlined command-line geek-centric approach that should be significantly faster.
Before I disclose the results, note that the first time I generated a key pair of this size was over 10 years ago. That process took more than a day.
- Scenario 1: 7 seconds to generate the key pair.
- Scenario 2: 4 seconds to generate the key pair.
Conclusion
Don’t avoid generating key pairs because of the complexity or time involved. Even with relatively limited resources, today’s technology makes short work of key generation.
If you want more Windows PKI articles please be sure to drop me a comment.
Take care!
Mike Danseglio -CISSP / CEH
Interface Technical Training – Technical Director and Instructor
A Simple Introduction to Cisco CML2
Mark Jacob, Cisco Instructor, presents an introduction to Cisco Modeling Labs 2.0 or CML2.0, an upgrade to Cisco’s VIRL Personal Edition. Mark demonstrates Terminal Emulator access to console, as well as console access from within the CML2.0 product. Hello, I’m Mark Jacob, a Cisco Instructor and Network Instructor at Interface Technical Training. I’ve been using … Continue reading A Simple Introduction to Cisco CML2
Creating Dynamic DNS in Network Environments
This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader teaches how to create Dynamic DNS zones in Network Environments. Video Transcription: Now that we’ve installed DNS, we’ve created our DNS zones, the next step is now, how do we produce those … Continue reading Creating Dynamic DNS in Network Environments
Cable Testers and How to Use them in Network Environments
This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader demonstrates how to use cable testers in network environments. Let’s look at some tools that we can use to test our different cables in our environment. Cable Testers Properly Wired Connectivity … Continue reading Cable Testers and How to Use them in Network Environments
Write a Comment
