Jump to navigation

Poupou's Corner of the Web

Looking for perfect security? Try a wireless brick.
Otherwise you may find some unperfect stuff here...

Weblog

The downside of a fully managed world

Hey you didn't actually believe that there was no inconvenient, did you ?

Have a look at the following sample:

// wow this is really fast ! RSACryptoServiceProvider rsa = new RSACryptoServiceProvider (2048); // hey what's going on ??? string keypair = rsa.ToXmlString (true);

Bad news

If you try to run this code you will see that one line is much longer than the other. Which one is it ? hint: it's not the comments. Well you're both right and wrong - because it depends on your runtime.

Mono use a totally managed implementation for RSA (and DSA, DH ...). This has many advantages but also some inconvenient - mostly performance. Creating a new key pair is a very CPU heavy process so every processor cycle counts. Using a high level language like C# on top of a JIT, even as good as Mono, can hardly compare to hand-tuned assembly language often found for doing the job (or at least key part of the job). The result is that it can take much more time to generate similar sized key pairs in managed code.

Good news

However it may not be as bad as it seems in the sample...

Unlike Microsoft implementation Mono doesn't generate a new key pair in its constructor (when no CspParameter object is specified as a parameter). This is because it's a common, and very bad, pattern to create a RSACryptoServiceProvider object then immediately import an existing public key (or key pair) into it. Sadly I've seen this in too many samples on the internet and this simply kills performance on the Windows platform - in particular for server applications.

In order to avoid this pattern Mono doesn't generate a new key pair until it is actually required. This is nice most of the time but this also means that, in the case a new key pair is really needed, the delay required generating a new key pair moves until later in an application process (when the UI may not expect this).

But this also means that calling again a method requiring either the public or private key will be much faster because it doesn't require generating a new key pair (see next sample). So this is only a one time hit... Hopefully most implementation do not require creating new key pairs very frequently as opposed to signing/verifying or encrypting/decrypting.

// wow this is really really really fast ! RSACryptoServiceProvider rsa = new RSACryptoServiceProvider (16384); // hey what's going on ??? ... then one day later ... string keypair = rsa.ToXmlString (true); // we seems awake now! string backup = rsa.ToXmlString (true);

Another good news is that most optimization made to the JIT will results in improvement in the key generation performance. So it will keep going faster without changing the code ;-)


3/10/2004 19:50:53 | Comments

The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.