24  

Yes, purely asymmetric encryption is much slower than symmetric cyphers (like DES or AES), which is why real applications use hybrid cryptography: the expensive public-key operations are performed only to encrypt (and exchange) an encryption key for the symmetric algorithm that is going to be used for encrypting the real message.

是的,纯粹的非对称加密比对称cyphers(如DES或AES)慢得多,这就是为什么真正的应用程序中使用混合加密:昂贵的公钥操作只进行加密(交流)对称算法的加密密钥将用于加密真实的消息。

The problem that public-key cryptography solves is that there is no shared secret. With a symmetric encryption you have to trust all involved parties to keep the key secret. This issue should be a much bigger concern than performance (which can be mitigated with a hybrid approach)

公钥加密解决的问题是没有共享密钥。使用对称加密,您必须信任所有相关方以保持密钥的秘密。这个问题应该是一个比性能更大的问题(可以通过混合方法减轻)

20  

On a Macbook running OS X 10.5.5 and a stock build of OpenSSL, "openssl speed" clocks AES-128-CBC at 46,000 1024 bit blocks per second. That same box clocks 1024 bit RSA at 169 signatures per second. AES-128-CBC is the "textbook" block encryption algorithm, and RSA 1024 is the "textbook" public key algorithm. It's apples-to-oranges, but the answer is: RSA is much, much slower.

在运行OS X 10.5.5的Macbook和OpenSSL的库存版本中,“openssl speed”以每秒46,000个1024位块为AES-128-CBC时钟。同一个盒子以每秒169个签名计时1024位RSA。 AES-128-CBC是“教科书”块加密算法,而RSA 1024是“教科书”公钥算法。这是苹果到橙子,但答案是:RSA要慢得多。

That's not why you shouldn't be using public key encryption, however. Here's the real reasons:

但是,这不是您不应该使用公钥加密的原因。这是真正的原因:

1. Public key crypto operations aren't intended for raw data encryption. Algorithms like Diffie-Hellman and RSA were devised as a way of exchanging keys for block crypto algorithms. So, for instance, you'd use a secure random number generator to generate a 128 bit random key for AES, and encrypt those 16 bytes with RSA.

   公钥加密操作不适用于原始数据加密。像Diffie-Hellman和RSA这样的算法被设计为一种交换块加密算法的密钥的方法。因此,例如,您使用安全随机数生成器为AES生成128位随机密钥,并使用RSA加密这16个字节。

2. Algorithms like RSA are much less "user-friendly" than AES. With a random key, a plaintext block you feed to AES is going to come out random to anyone without the key. That is actually not the case with RSA, which is --- more so than AES --- just a math equation. So in addition to storing and managing keys properly, you have to be extremely careful with the way you format your RSA plaintext blocks, or you end up with vulnerabilities.

   像RSA这样的算法比AES更“用户友好”。使用随机密钥,您向AES提供的纯文本块将随机出现给没有密钥的任何人。 RSA实际上并非如此,这比AES更多 - 只是一个数学方程式。因此,除了正确存储和管理密钥之外,您还必须非常小心格式化RSA纯文本块的方式,否则最终会遇到漏洞。

3. Public key doesn't work without a key management infrastructure. If you don't have a scheme to verify public keys, attackers can substitute their own keypairs for the real ones to launch "man in the middle" attacks. This is why SSL forces you to go through the rigamarole of certificates. Block crypto algorithms like AES do suffer from this problem too, but without a PKI, AES is no less safe than RSA.

   没有密钥管理基础结构,公钥不起作用。如果您没有验证公钥的方案,攻击者可以用自己的密钥对替换真正的密钥对来启动“中间人”攻击。这就是SSL强迫您通过证书的严格要求的原因。阻塞加密算法(如AES)也会遇到这个问题,但如果没有PKI,AES的安全性也不比RSA安全。

4. Public key crypto operations are susceptible to more implementation vulnerabilities than AES. For example, both sides of an RSA transaction have to agree on parameters, which are numbers fed to the RSA equation. There are evil values attackers can substitute in to silently disable encryption. The same goes for Diffie Hellman and even more so for Elliptic Curve. Another example is the RSA Signature Forgery vulnerability that occurred 2 years ago in multiple high-end SSL implementations.

   公钥加密操作容易受到比AES更多的实现漏洞的影响。例如,RSA交易的双方必须就参数达成一致,这些参数是馈送到RSA方程的数字。攻击者可以替代恶意值来静默禁用加密。对于Diffie Hellman来说也是如此,对于Elliptic Curve来说更是如此。另一个例子是两年前在多个高端SSL实现中发生的RSA签名伪造漏洞。

5. Using public key is evidence that you're doing something "out of the ordinary". Out of the ordinary is exactly what you never want to be with cryptography; beyond just the algorithms, crypto designs are audited and tested for years before they're considered safe.

   使用公钥证明你正在做一些“与众不同”的事情。与众不同的是您从未想过的加密技术;除了算法之外,加密设计在被认为是安全的之前已经过多年的审核和测试。

To our clients who want to use cryptography in their applications, we make two recommendations:

对于希望在其应用程序中使用加密技术的客户,我们提出两项建议:

• For "data at rest", use PGP. Really! PGP has been beat up for more than a decade and is considered safe from dumb implementation mistakes. There are open source and commercial variants of it.

  对于“静止数据”,请使用PGP。真! PGP已经被殴打了十多年,被认为是安全的,不会出现愚蠢的实施错误。它有开源和商业变体。

• For "data in flight", use TLS/SSL. No security protocol in the world is better understood and better tested than TLS; financial institutions everywhere accept it as a secure method to move the most sensitive data.

  对于“飞行中的数据”,请使用TLS / SSL。世界上没有任何安全协议比TLS更好理解和更好的测试;各地的金融机构都接受它作为移动最敏感数据的安全方法。

Here's a decent writeup [matasano.com] me and Nate Lawson, a professional cryptographer, wrote up a few years back. It covers these points in more detail.

这是一篇不错的文章[matasano.com]我和几年前写过的专业密码学家Nate Lawson。它更详细地介绍了这些要点。

5  

Use the OpenSSL speed command to benchmark the algorithms and see for yourself.

使用OpenSSL speed命令对算法进行基准测试,并亲自查看。

[dave@hal9000 ~]$ openssl speed aes-128-cbc
Doing aes-128 cbc for 3s on 16 size blocks: 26126940 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 64 size blocks: 7160075 aes-128 cbc's in 3.00s
...
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128 cbc     139343.68k   152748.27k   155215.70k   155745.61k   157196.29k


[dave@hal9000 ~]$ openssl speed rsa2048
Doing 2048 bit private rsa's for 10s: 9267 2048 bit private RSA's in 9.99s
Doing 2048 bit public rsa's for 10s: 299665 2048 bit public RSA's in 9.99s
...
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.001078s 0.000033s    927.6  29996.5

4  

Practical PKI-based encryption systems use asymmetric encryption to encrypt a symmetric key, and then symmetric encryption with that key to encrypt the data (having said that, someone will point out a counter-example).

实用的基于PKI的加密系统使用非对称加密来加密对称密钥,然后使用该密钥进行对称加密以加密数据(已经说过,有人会指出反例)。

So the additional overhead imposed by asymmetric crypto algorithms over that of symmetric is fixed - it doesn't depend on the data size, just on the key sizes.

因此,非对称加密算法相对于对称加密算法所产生的额外开销是固定的 - 它不依赖于数据大小,仅取决于密钥大小。

Last time I tested this, validating a chain of 3 or so X.509 certificates [edit to add: and the data they were signing] was taking a fraction of a second on an ARM running at 100MHz or so (averaged over many repetitions, obviously). I can't remember how small - not negligible, but well under a second.

上次我测试了这个,验证一组3个左右的X.509证书[编辑添加:和他们签署的数据]在运行在100MHz左右的ARM上花了不到一秒的时间(平均多次重复,明显)。我不记得有多小 - 不可忽视,但不到一秒钟。

Sorry I can't remember the exact details, but the summary is that unless you're on a very restricted system or doing a lot of encryption (like if you want to accept as many as possible SSL connections a second), NIST-approved asymmetric encryption methods are fast.

抱歉,我不记得确切的细节,但总结是,除非你是一个非常有限的系统或进行大量加密(如果你想要接受尽可能多的SSL连接),NIST批准非对称加密方法很快。

2  

Apparently it is 1000x worse. (http://windowsitpro.com/article/articleid/93787/symmetric-vs-asymmetric-ciphers.html). But unless you're really working through a lot of data it isn't going to matter. What you can do is use asymmetric encryption to exchange a symmetric encryption key.

显然它差了1000倍。 (http://windowsitpro.com/article/articleid/93787/symmetric-vs-asymmetric-ciphers.html)。但除非你真的在处理大量数据,否则它并不重要。您可以做的是使用非对称加密来交换对称加密密钥。

0  

Perhaps you can add some details about your project so that you get better quality answers. What are you trying to secure? From whom? If you could explain the requirements of your security, you'll get a much better answer. Performance doesn't mean much if the encryption mechanism isn't protecting what you think it is.

也许您可以添加有关项目的一些细节,以便获得更好的质量答案。你想要保证什么?从谁?如果您能解释您的安全要求,您将获得更好的答案。如果加密机制不能保护您的想法,那么性能并不意味着什么。

For instance, X509 certs are an industrial standard way of securing client/server endpoints. PGP armoring can be used to secure license files. For simplicity, Cipher block chaining with Blowfish (and a host of other ciphers) is easy to use in Perl or Java, if you control both end points.

例如,X509证书是保护客户端/服务器端点的工业标准方法。 PGP装甲可用于保护许可证文件。为简单起见,如果您控制两个端点,使用Blowfish(以及许多其他密码)的密码块链接在Perl或Java中很容易使用。

Thanks.