AES GCM slow

Chris Hegarty chris.hegarty at oracle.com
Mon Jan 27 01:34:50 PST 2014


Cross posting to security-dev, since the question cipher related.

-Chris.

On 27/01/14 09:28, Mark Christiaens wrote:
> I wrote  a little test client/server setup that transfers 100 MB of data
> over an SSL socket configured to use TLS 1.2 AES GCM
> (TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256).  On my i7-4770 CPU @ 3.40GHz
> with OpenJDK 1.8.0-ea-b124 I get a transfer rate of around 5.2
> MiB/second.  I expected a higher speed.  Using
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 I reach 100 MiB/s.  Is this to
> be expected?
>
> For reference, here is my code:
>
> ///// Client.java
>
> package ssl;
>
> import javax.net.ssl.*;
> import java.io.*;
> import java.util.Arrays;
>
> public class Client {
>
>      public static void main(String[] arstring) {
>          try {
>              SSLSocketFactory sslsocketfactory = (SSLSocketFactory)
> SSLSocketFactory.getDefault();
>              SSLSocket sslsocket = (SSLSocket)
> sslsocketfactory.createSocket("localhost", 9999);
>              Helper.requireAESCipherSuites(sslsocket);
>              sslsocket.setEnabledProtocols(new String[]{"TLSv1.2"});
>
>              try (OutputStream outputstream = sslsocket.getOutputStream()) {
>                  byte[] buf = new byte[Helper.BUF_SIZE];
>                  Arrays.fill(buf, (byte) 1);
>                  for (int i = 0; i < Helper.BUF_COUNT; ++i) {
>                      outputstream.write(buf);
>                  }
>
>                  System.out.println("Using cipher suite: " +
> (sslsocket.getSession()).getCipherSuite());
>
>                  outputstream.flush();
>              }
>
>          } catch (IOException exception) {
>              exception.printStackTrace();
>          }
>      }
> }
>
> ///// Server.java
>
> package ssl;
>
> import javax.net.ssl.*;
> import java.io.*;
>
> public class Server {
>
>      public static void main(String[] arstring) {
>          try {
>              SSLServerSocketFactory sslserversocketfactory =
> (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
>              SSLServerSocket sslserversocket = (SSLServerSocket)
> sslserversocketfactory.createServerSocket(9999);
>              SSLSocket sslsocket = (SSLSocket) sslserversocket.accept();
>
>              InputStream inputstream = sslsocket.getInputStream();
>
>              byte[] buf = new byte[Helper.BUF_SIZE];
>              long bytesToRead = BYTES_TO_READ;
>
>              long startTime = System.currentTimeMillis();
>
>              while (bytesToRead > 0) {
>                  bytesToRead -= inputstream.read(buf);
>              }
>
>              long stopTime = System.currentTimeMillis();
>              long totalTimeMs = stopTime - startTime;
>              double mbRead = BYTES_TO_READ / (1024.0 * 1024);
>              double totalTimeSeconds = totalTimeMs / 1000.0;
>              double mibPerSecond = mbRead / totalTimeSeconds;
>
>              System.out.println("Using cipher suite: " +
> (sslsocket.getSession()).getCipherSuite());
>              System.out.println("Read " + mbRead + "MiB in " +
> totalTimeSeconds + "s");
>              System.out.println("Bandwidth: " + mibPerSecond + "MiB/s");
>
>          } catch (IOException exception) {
>              exception.printStackTrace();
>          }
>      }
>
>      private static final int BYTES_TO_READ = Helper.BUF_COUNT *
> Helper.BUF_SIZE;
> }
>
> ///// Helper.java
>
> package ssl;
>
> import java.util.*;
> import java.util.regex.*;
> import javax.net.ssl.*;
>
> public class Helper {
>
>      static int BUF_SIZE = 1024 * 1024;
>      static int BUF_COUNT = 100;
>
>      static SSLSocket requireAESCipherSuites(SSLSocket socket) {
>          String supportedCipherSuites[] = socket.getSupportedCipherSuites();
>
>          System.out.println("Supported cipher suite: " +
> Arrays.toString(supportedCipherSuites));
>
>          List<String> selectedCipherSuites = new ArrayList<>();
>
> //        String patternString = ".*";
>          String patternString = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
> //        String patternString = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
>
>          Pattern pattern = Pattern.compile(patternString);
>
>          for (String cipherSuite : supportedCipherSuites) {
>              Matcher matcher = pattern.matcher(cipherSuite);
>              if (matcher.find()) {
>                  selectedCipherSuites.add(cipherSuite);
>              }
>          }
>
>          System.out.println("Selected cipher suites: " +
> selectedCipherSuites);
>
>          socket.setEnabledCipherSuites(selectedCipherSuites.toArray(new
> String[0]));
>
>          return socket;
>      }
> }
>


More information about the security-dev mailing list