Jump to content
Not connected, Your IP: 13.58.197.26
AirVPN
Staff

Major system upgrade COMPLETED

By Staff, ... in News and Announcement

Recommended Posts

Staff    9751

Staff
Posted ...

Hello!

 

No flames please. Especially no flames for nothing.

 

Under a technical point of view, having 4096 bit RSA keys instead of 2048 RSA bit keys does not worsen or improve performance of the Data Channel. The Data Channel cipher was and remains AES-256-CBC.

 

4096 bit sized RSA keys, in comparison to 2048 bit ones, slow down the first handshake of about 1-5 seconds (according to the CPU power), which is totally negligible. The additional security provided by RSA-4096 is well worth this barely noticeable difference.

 

Even the TLS re-keying, which occurs every hour, will take some seconds more, but you can't notice that, because OpenVPN TLS re-keying occurs with overlapping windows (until the new key pair is negotiated, the previous one is used).

 

After the TLS Auth (2048 bit) and the initial negotiation with RSA 4096, your system never uses RSA to encrypt or decrypt or authenticate packets: the ciphers to be taken into consideration for performance are those of the Data Channel (in our case AES-256-CBC, unchanged) and those of the Control Channel (in our case HMAC, again unchanged, and probably negligible if compared to AES-256-CBC and the volume of data of the Data Channel).

 

The fact that the CPU is 5 degrees hotter should not depend on RSA keys size. Although the temperature difference does not seem worrying, if an investigation is led it should consider different causes.

 

Kind regards

dIecbasC, Artful Dodger and OpenSourcerer reacted to this

Share this post

Link to post

OpenSourcerer    1359

OpenSourcerer
Posted ...

Hello!

 

No flames please. Especially no flames for nothing.

 

Under a technical point of view, having 4096 bit RSA keys instead of 2048 RSA bit keys does not worsen or improve performance of the Data Channel. The Data Channel cipher was and remains AES-256-CBC.

 

4096 bit sized RSA keys, in comparison to 2048 bit ones, slow down the first handshake of about 1-5 seconds (according to the CPU power), which is totally negligible. The additional security provided by RSA-4096 is well worth this barely noticeable difference.

 

Even the TLS re-keying, which occurs every hour, will take some seconds more, but you can't notice that, because OpenVPN TLS re-keying occurs with overlapping windows (until the new key pair is negotiated, the previous one is used).

 

After the TLS Auth (2048 bit) and the initial negotiation with RSA 4096, your system never uses RSA to encrypt or decrypt or authenticate packets: the ciphers to be taken into consideration for performance are those of the Data Channel (in our case AES-256-CBC, unchanged) and those of the Control Channel (in our case HMAC, again unchanged, and probably negligible if compared to AES-256-CBC and the volume of data of the Data Channel).

 

The fact that the CPU is 5 degrees hotter should not depend on RSA keys size. Although the temperature difference does not seem worrying, if an investigation is led it should consider different causes.

 

Kind regards

 

Couldn't express it better.

 

Hi,

 

is it possible to provide an option to move back to using 2048 bit size RSA and DH keys?

 

I felt quite secure using that level of security and since we moved to 4096 my CPU is running 5 degrees hotter than before.

 

Thanks.

pfSense_fan,never in all my years of using internet forums have I felt it necessary to block another member until now. Your shallow,inadequate and boastful drivel has forced me to choose that option today though.

 

Let me give you some advice about hot CPUs without risking my reputation. You either made your PC a malware farm (which is curable) or your CPU is a single core CPU running Windows Vista and newer or a Dual Core running Windows 8.

To measure the speed of a CPU two types of tasks are used: Encryption/Decryption and Compression/Decompression, I'll use E/D and C/D to abbreviate. These are the most CPU-intensive tasks, that's why they are used for measuring.

Before the big update AirVPN used 256 bit AES for E/D and LZO for C/D. Those were two tasks that needed to be executed simultaneously.

After the big update AirVPN still uses 256 bit AES for E/D but LZO is turned off. C/D is not needed anymore. So I'd say it should be better now.

 

McLoEa: Please unblock pfSense_fan. We're fighting censorship and not each other.

pfSense_fan: Don't be so harsh in your choice of words, relax.

Artful Dodger reacted to this

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post

Link to post

Sarif    3

Sarif
Posted ...

It has been working very smooth for me   since My Last Reinstall 

 

every thing is running perfect here 

 

many thanks

     9yzTU300x300.png                                                                                      visa1.png                  

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Go To Topic Listing
×
×
  • Create New...