AES GCM slow
Xuelei Fan
xuelei.fan at oracle.com
Mon Jan 27 14:19:17 UTC 2014
What's the platform are you using for the testing? Windows, Linux,
Solaris or Mac OS? GCM are now only implemented in SunJCE provider. I
want to make sure the crypto provider for AES-CBC, which is different
for different platforms by default, is not the major cause of the
performance impact.
Thanks for the performance measure.
Regards,
Xuelei
On 1/27/2014 5:34 PM, Chris Hegarty wrote:
> Cross posting to security-dev, since the question cipher related.
>
> -Chris.
>
> On 27/01/14 09:28, Mark Christiaens wrote:
>> I wrote a little test client/server setup that transfers 100 MB of data
>> over an SSL socket configured to use TLS 1.2 AES GCM
>> (TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256). On my i7-4770 CPU @ 3.40GHz
>> with OpenJDK 1.8.0-ea-b124 I get a transfer rate of around 5.2
>> MiB/second. I expected a higher speed. Using
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 I reach 100 MiB/s. Is this to
>> be expected?
>>
>> For reference, here is my code:
>>
>> ///// Client.java
>>
>> package ssl;
>>
>> import javax.net.ssl.*;
>> import java.io.*;
>> import java.util.Arrays;
>>
>> public class Client {
>>
>> public static void main(String[] arstring) {
>> try {
>> SSLSocketFactory sslsocketfactory = (SSLSocketFactory)
>> SSLSocketFactory.getDefault();
>> SSLSocket sslsocket = (SSLSocket)
>> sslsocketfactory.createSocket("localhost", 9999);
>> Helper.requireAESCipherSuites(sslsocket);
>> sslsocket.setEnabledProtocols(new String[]{"TLSv1.2"});
>>
>> try (OutputStream outputstream =
>> sslsocket.getOutputStream()) {
>> byte[] buf = new byte[Helper.BUF_SIZE];
>> Arrays.fill(buf, (byte) 1);
>> for (int i = 0; i < Helper.BUF_COUNT; ++i) {
>> outputstream.write(buf);
>> }
>>
>> System.out.println("Using cipher suite: " +
>> (sslsocket.getSession()).getCipherSuite());
>>
>> outputstream.flush();
>> }
>>
>> } catch (IOException exception) {
>> exception.printStackTrace();
>> }
>> }
>> }
>>
>> ///// Server.java
>>
>> package ssl;
>>
>> import javax.net.ssl.*;
>> import java.io.*;
>>
>> public class Server {
>>
>> public static void main(String[] arstring) {
>> try {
>> SSLServerSocketFactory sslserversocketfactory =
>> (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
>> SSLServerSocket sslserversocket = (SSLServerSocket)
>> sslserversocketfactory.createServerSocket(9999);
>> SSLSocket sslsocket = (SSLSocket) sslserversocket.accept();
>>
>> InputStream inputstream = sslsocket.getInputStream();
>>
>> byte[] buf = new byte[Helper.BUF_SIZE];
>> long bytesToRead = BYTES_TO_READ;
>>
>> long startTime = System.currentTimeMillis();
>>
>> while (bytesToRead > 0) {
>> bytesToRead -= inputstream.read(buf);
>> }
>>
>> long stopTime = System.currentTimeMillis();
>> long totalTimeMs = stopTime - startTime;
>> double mbRead = BYTES_TO_READ / (1024.0 * 1024);
>> double totalTimeSeconds = totalTimeMs / 1000.0;
>> double mibPerSecond = mbRead / totalTimeSeconds;
>>
>> System.out.println("Using cipher suite: " +
>> (sslsocket.getSession()).getCipherSuite());
>> System.out.println("Read " + mbRead + "MiB in " +
>> totalTimeSeconds + "s");
>> System.out.println("Bandwidth: " + mibPerSecond + "MiB/s");
>>
>> } catch (IOException exception) {
>> exception.printStackTrace();
>> }
>> }
>>
>> private static final int BYTES_TO_READ = Helper.BUF_COUNT *
>> Helper.BUF_SIZE;
>> }
>>
>> ///// Helper.java
>>
>> package ssl;
>>
>> import java.util.*;
>> import java.util.regex.*;
>> import javax.net.ssl.*;
>>
>> public class Helper {
>>
>> static int BUF_SIZE = 1024 * 1024;
>> static int BUF_COUNT = 100;
>>
>> static SSLSocket requireAESCipherSuites(SSLSocket socket) {
>> String supportedCipherSuites[] =
>> socket.getSupportedCipherSuites();
>>
>> System.out.println("Supported cipher suite: " +
>> Arrays.toString(supportedCipherSuites));
>>
>> List<String> selectedCipherSuites = new ArrayList<>();
>>
>> // String patternString = ".*";
>> String patternString = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
>> // String patternString =
>> "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
>>
>> Pattern pattern = Pattern.compile(patternString);
>>
>> for (String cipherSuite : supportedCipherSuites) {
>> Matcher matcher = pattern.matcher(cipherSuite);
>> if (matcher.find()) {
>> selectedCipherSuites.add(cipherSuite);
>> }
>> }
>>
>> System.out.println("Selected cipher suites: " +
>> selectedCipherSuites);
>>
>> socket.setEnabledCipherSuites(selectedCipherSuites.toArray(new
>> String[0]));
>>
>> return socket;
>> }
>> }
>>
More information about the security-dev
mailing list