RSA encryption results in server execution timeout

StackOverflow https://stackoverflow.com/questions/2743351

Question

I am using PHP Crypt_RSA (http://pear.php.net/package/Crypt_RSA) for encrypting and decrypting the contents. Contents are of 1kb size. Following are the results:

  1. keylength = 1024
  2. Encryption function takes time: 225 secs
  1. keylength = 2048
  2. Encryption function takes time: 115 secs

I need to reduce this execution time as most of the live apache servers have 120 sec limit for execution time. How to reduce this execution time? RSA alorithm docs says the only 1024 - 2048 keys are generated. I ACTUALLY tried to generate larger key, but it always results in execution timeout.

How do i work on reducing encryption - decryption execution time?

Thanks, Nila

Was it helpful?

Solution

Do not use RSA to encrypt content, use RSA to encrypt a symmetric key that is then used to encrypt the content.

The symmetric cipher AES uses a key length of 256 bits, which is 32 bytes, about 30 times less data to encrypt/decrypt using RSA than the kilobyte of data you encrypt now.

So the 115 seconds will be reduced to 3-4 secs plus the encryption/decryption time used for AES which is much faster than RSA.

OTHER TIPS

Make your key bigger :) According to your numbers, you halve the time by doubling the key size. I am sure it's an error.

First thing to do is to switch to OpenSSL, which is an extension in C. If you use the correct build, the public key operations are done in assembly so it's much, much faster than PHP code. In my experience, it's at least 10 times faster.

The 2nd thing to do is to use a standard envelope like PKCS#7 (OpenSSL supports this). It will use symmetric key to encrypt and encrypt the key using public key. It has lots of overhead for small message but you will benefit in long run.

First, I would recommend phpseclib - a pure PHP RSA implementation - be used. The problem with PEAR's Crypt_RSA is that it doesn't support very many key formats, doesn't do RSA blinding (and as such is vulnerable to timing attacks) and doesn't support OAEP / PSS.

ZZ Coder recommends PKCS#7 be used. The following URL discusses how to use phpseclib in a lightweight version of PKCS#7:

http://area51.phpbb.com/phpBB/viewtopic.php?f=84&t=33024

You may consider to use mcrypt or openssl instead for your encryption/decryption needs. See openssl_public_encrypt for examples. That will be much faster than the PHP implementation done in Crypt_* (even if they use bigint or other C large integer implementation like gmp).

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top