Blargh

As you remember from long ago hashes are O(1) best case, but can be O(n) if you get hash collisions. And if you're adding n new entries that means O(n^2) . I thought I'd take a look at the hash_set/hash_map GNU C++ extension. In /usr/include/c++/4.4.3/backward/hash_fun.h : 1 2 3 4 5 6 7 8 inline size_t __stl_hash_string ( const char * __s ) { unsigned long __h = 0 ; for ( ; * __s ; ++ __s ) __h = 5 * __h + * __s ; return size_t ( __h ); } Test program that loads some strings: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 #include<time.h> #include<iostream> #include<hash_set> double getclock () { struct timespec ts ; clock_gettime ( CLOCK_MONOTONIC , & ts ); return ts . tv_sec + ts . tv_nsec / 1e9 ; } _GLIBCXX_BEGIN_NAMESPACE ( __gnu_cxx ) template <> struct hash < :: std :: string ...

As you can plainly see from this graph, my TPM chip can do approximately 1.4 SSL handshakes per second. A handshake takes about 0.7 seconds of TPM time, so when two clients are connecting the average connect time is 1.4 seconds. This means probably not useful on server side, but should be good for some client side applications. To replicate the test, start a server: openssl s_server -keyform engine -engine tpm -accept 12345 -cert foo.crt -key foo.key -tls1 -CAfile foo.crt -verify 1 -status And then connect 100 times: for n in $(seq 100); do time openssl s_client -tls1 -connect localhost:12345 /dev/null 2>/dev/null;done 2> timelog Then just look at the "real" time in the timelog. (if in doubt, use bash. zsh gave me some crap in the log) Example GNUPlot: plot [1:] [0:2] '2' using (2/$1) w l title '2 clients','1' using (1/$1) w l title '1 client'

This is a short howto on setting up TPM-backed SSL. This means that the secret key belonging to an SSL cert is protected by the TPM and cannot be copied off of the machine or otherwise inspected. Meaning even if you get hacked the attackers cannot impersonate you, if you manage to kick them off or just shut down the server. The secret key is safe. It has never been outside the TPM and never will be. This can be used for both client and server certs. Prerequisites A TPM chip. Duh. May need to be turned on in the BIOS. Could be called "security chip" or something. If you don't have a TPM chip but still want to follow along (maybe add TPM support to some program) then you can install a TPM emulator. See links at the end on how to install a TPM emulator. A working CA that will sign your CSR. I will assume you're running your own CA, but you can send the CSR to someone else to sign if you want...