Md5 vs. Sha1 Performance - Upgrade Cryptographic Provider?

Md5 vs. Sha1 Performance - Upgrade Cryptographic Provider?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Md5 vs. Sha1 Performance - Upgrade Cryptographic Provider? jwgoerlich 03-30-2007
Posted by on March 30, 2007, 9:22 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello,

We have a process that decrypts data, process, encrypts, and uploads.
With a Md5 certificate on Windows 2000, this process took 1-3 seconds.
We recently rekeyed. With a Sha1 certificate, the process now takes 30
seconds. This is far to long, unfortunately.

Testing shows that this same process runs on Windows 2003, with either
Md5 or Sha1, in 1-3 seconds. The performance issue seems to be with
2000 and Sha1.

I noticed that the Microsoft Enhanced Cryptographic Provider
(Rsaenh.dll) on Windows 2000 is 5.0.2195.6611. On Windows 2003, the
version is 5.2.3790.1830.

The main question is how to improve the performance of Sha1 on Windows
2000. My current guess is upgrade cryptography library, so a related
question is how to do this.

Any and all suggestions appreciated.

J Wolfgang Goerlich


Posted by on March 30, 2007, 5:40 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Follow-up, correction, and clarification:

I should add that this process is a web service. On Windows 2003, IIS
Application Pool's configuration has an impact time the process takes.

If the web service is in an application pool whose identity is set to
Local System, the Sha1 decryption-encryption process takes less than 5
seconds.

If the identity is set to Network Service, the Sha1 decryption-
encryption takes 35 seconds.

Checking from Process Explorer, I see that the w3wp.exe (worker
process) is holding on to crypt32.dll for about 28 seconds. The stack
looks something like this:

ntoskrnl.exe+0x397da
ntdll.dll!KiFastSystemCallRet
CRYPT32.dll!I_CryptFlushLruCache+0x84
kernel32.dll!GetModuleHandleA+0xdf
mscorsvr.dll!GetAssemblyMDImport+0x1c188

Interesting but not -- to me, at least -- all that informative.
Cryptographically speaking, what would System have that Network
Service lacks?

J Wolfgang Goerlich


Posted by S. Pidgorny on March 31, 2007, 4:42 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I think this behaviour can be classified as a bug in Microsoft software - I
recommend filing bug report.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


> Follow-up, correction, and clarification:
>
> I should add that this process is a web service. On Windows 2003, IIS
> Application Pool's configuration has an impact time the process takes.
>
> If the web service is in an application pool whose identity is set to
> Local System, the Sha1 decryption-encryption process takes less than 5
> seconds.
>
> If the identity is set to Network Service, the Sha1 decryption-
> encryption takes 35 seconds.
>
> Checking from Process Explorer, I see that the w3wp.exe (worker
> process) is holding on to crypt32.dll for about 28 seconds. The stack
> looks something like this:
>
> ntoskrnl.exe+0x397da
> ntdll.dll!KiFastSystemCallRet
> CRYPT32.dll!I_CryptFlushLruCache+0x84
> kernel32.dll!GetModuleHandleA+0xdf
> mscorsvr.dll!GetAssemblyMDImport+0x1c188
>
> Interesting but not -- to me, at least -- all that informative.
> Cryptographically speaking, what would System have that Network
> Service lacks?
>
> J Wolfgang Goerlich
>



Posted by on April 1, 2007, 7:41 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> I think this behaviour can be classified as a bug in Microsoft software - I
> recommend filing bug report.

I think you are right ... but perhaps not in the way you are
thinking.

The problem was traced to the Network Service account not having NTFS
permissions to the certificates. These are in the folder:

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto
\RSA\MachineKeys

System had access but not Network Service. So, when the Application
Pool ran under System, the w3wp.exe could access the keys and the code
ran in 3 seconds. When the Application Pool ran under Network Service,
the w3wp.exe process could not access the keys, timed out, and then
still managed to encrypt the data and return in 30-seconds.

The mystery bug is this: how did the web service encrypt the data if
the w3wp.exe could not access the Sha1 keys?

J Wolfgang Goerlich


Posted by S. Pidgorny on April 3, 2007, 4:58 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Obviously it somehow impersonates system... Excellent job analysing the
issue btw - and definitely do report the bug.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

>> I think this behaviour can be classified as a bug in Microsoft software -
>> I
>> recommend filing bug report.
>
> I think you are right ... but perhaps not in the way you are
> thinking.
>
> The problem was traced to the Network Service account not having NTFS
> permissions to the certificates. These are in the folder:
>
> C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto
> \RSA\MachineKeys
>
> System had access but not Network Service. So, when the Application
> Pool ran under System, the w3wp.exe could access the keys and the code
> ran in 3 seconds. When the Application Pool ran under Network Service,
> the w3wp.exe process could not access the keys, timed out, and then
> still managed to encrypt the data and return in 30-seconds.
>
> The mystery bug is this: how did the web service encrypt the data if
> the w3wp.exe could not access the Sha1 keys?
>
> J Wolfgang Goerlich
>



Similar ThreadsPosted
Restrict use for different CSP (Cryptographic service provider) installed on WindowS September 15, 2006, 8:46 am
Question regarding Cryptographic Hash ... July 10, 2006, 4:06 am
WMI provider write permissions October 28, 2005, 2:43 am
Re: ? about connecting to a web Application Service Provider October 16, 2007, 12:16 pm
? about connecting to a web Application Service Provider October 16, 2007, 8:55 am
Does my live data provider have access to my files? March 8, 2006, 3:44 pm
could not upgrade file %1 from %2 %1: %2 kb896727 September 14, 2005, 6:59 pm
Excel security upgrade March 21, 2006, 7:27 pm
Windows Vista Upgrade UAC issue May 29, 2007, 8:50 pm
Re: transfer user accounts because of hardware upgrade October 7, 2005, 7:10 am

The site map in XML format XML site map

Contact Us | Privacy Policy