Staff 10014 Posted ... Hello! No flames please. Especially no flames for nothing. Under a technical point of view, having 4096 bit RSA keys instead of 2048 RSA bit keys does not worsen or improve performance of the Data Channel. The Data Channel cipher was and remains AES-256-CBC. 4096 bit sized RSA keys, in comparison to 2048 bit ones, slow down the first handshake of about 1-5 seconds (according to the CPU power), which is totally negligible. The additional security provided by RSA-4096 is well worth this barely noticeable difference. Even the TLS re-keying, which occurs every hour, will take some seconds more, but you can't notice that, because OpenVPN TLS re-keying occurs with overlapping windows (until the new key pair is negotiated, the previous one is used). After the TLS Auth (2048 bit) and the initial negotiation with RSA 4096, your system never uses RSA to encrypt or decrypt or authenticate packets: the ciphers to be taken into consideration for performance are those of the Data Channel (in our case AES-256-CBC, unchanged) and those of the Control Channel (in our case HMAC, again unchanged, and probably negligible if compared to AES-256-CBC and the volume of data of the Data Channel). The fact that the CPU is 5 degrees hotter should not depend on RSA keys size. Although the temperature difference does not seem worrying, if an investigation is led it should consider different causes. Kind regards 3 OpenSourcerer, dIecbasC and Artful Dodger reacted to this Quote Share this post Link to post
OpenSourcerer 1441 Posted ... Hello! No flames please. Especially no flames for nothing. Under a technical point of view, having 4096 bit RSA keys instead of 2048 RSA bit keys does not worsen or improve performance of the Data Channel. The Data Channel cipher was and remains AES-256-CBC. 4096 bit sized RSA keys, in comparison to 2048 bit ones, slow down the first handshake of about 1-5 seconds (according to the CPU power), which is totally negligible. The additional security provided by RSA-4096 is well worth this barely noticeable difference. Even the TLS re-keying, which occurs every hour, will take some seconds more, but you can't notice that, because OpenVPN TLS re-keying occurs with overlapping windows (until the new key pair is negotiated, the previous one is used). After the TLS Auth (2048 bit) and the initial negotiation with RSA 4096, your system never uses RSA to encrypt or decrypt or authenticate packets: the ciphers to be taken into consideration for performance are those of the Data Channel (in our case AES-256-CBC, unchanged) and those of the Control Channel (in our case HMAC, again unchanged, and probably negligible if compared to AES-256-CBC and the volume of data of the Data Channel). The fact that the CPU is 5 degrees hotter should not depend on RSA keys size. Although the temperature difference does not seem worrying, if an investigation is led it should consider different causes. Kind regards Couldn't express it better. Hi, is it possible to provide an option to move back to using 2048 bit size RSA and DH keys? I felt quite secure using that level of security and since we moved to 4096 my CPU is running 5 degrees hotter than before. Thanks.pfSense_fan,never in all my years of using internet forums have I felt it necessary to block another member until now. Your shallow,inadequate and boastful drivel has forced me to choose that option today though. Let me give you some advice about hot CPUs without risking my reputation. You either made your PC a malware farm (which is curable) or your CPU is a single core CPU running Windows Vista and newer or a Dual Core running Windows 8.To measure the speed of a CPU two types of tasks are used: Encryption/Decryption and Compression/Decompression, I'll use E/D and C/D to abbreviate. These are the most CPU-intensive tasks, that's why they are used for measuring.Before the big update AirVPN used 256 bit AES for E/D and LZO for C/D. Those were two tasks that needed to be executed simultaneously.After the big update AirVPN still uses 256 bit AES for E/D but LZO is turned off. C/D is not needed anymore. So I'd say it should be better now. McLoEa: Please unblock pfSense_fan. We're fighting censorship and not each other.pfSense_fan: Don't be so harsh in your choice of words, relax. 1 Artful Dodger reacted to this Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
Sarif 3 Posted ... It has been working very smooth for me since My Last Reinstall every thing is running perfect here many thanks Quote Hide Sarif's signature Hide all signatures Share this post Link to post