AES GCM slow

Mark Christiaens mark.g.j.christiaens at gmail.com
Mon Jan 27 06:23:54 PST 2014


Silly me, forgot to mention that I'm working on Ubuntu, 64 bit, 13.10.

So, AES-CBC seems to be reasonably fast (100 MiB/s) but AES-GCM is slow
(5.2 MiB/s).  I'm particularly curious about the GCM one because I get the
impression that OpenSSL should be able to reach in the GB/s for AES-GCM
encryption/authentication.

Mark


On Mon, Jan 27, 2014 at 3:19 PM, Xuelei Fan <xuelei.fan at oracle.com> wrote:

> What's the platform are you using for the testing?  Windows, Linux,
> Solaris or Mac OS?  GCM are now only implemented in SunJCE provider.  I
> want to make sure the crypto provider for AES-CBC, which is different
> for different platforms by default, is not the major cause of the
> performance impact.
>
> Thanks for the performance measure.
>
> Regards,
> Xuelei
>
> On 1/27/2014 5:34 PM, Chris Hegarty wrote:
> > Cross posting to security-dev, since the question cipher related.
> >
> > -Chris.
> >
> > On 27/01/14 09:28, Mark Christiaens wrote:
> >> I wrote  a little test client/server setup that transfers 100 MB of data
> >> over an SSL socket configured to use TLS 1.2 AES GCM
> >> (TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256).  On my i7-4770 CPU @ 3.40GHz
> >> with OpenJDK 1.8.0-ea-b124 I get a transfer rate of around 5.2
> >> MiB/second.  I expected a higher speed.  Using
> >> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 I reach 100 MiB/s.  Is this to
> >> be expected?
> >>
> >> For reference, here is my code:
> >>
> >> ///// Client.java
> >>
> >> package ssl;
> >>
> >> import javax.net.ssl.*;
> >> import java.io.*;
> >> import java.util.Arrays;
> >>
> >> public class Client {
> >>
> >>      public static void main(String[] arstring) {
> >>          try {
> >>              SSLSocketFactory sslsocketfactory = (SSLSocketFactory)
> >> SSLSocketFactory.getDefault();
> >>              SSLSocket sslsocket = (SSLSocket)
> >> sslsocketfactory.createSocket("localhost", 9999);
> >>              Helper.requireAESCipherSuites(sslsocket);
> >>              sslsocket.setEnabledProtocols(new String[]{"TLSv1.2"});
> >>
> >>              try (OutputStream outputstream =
> >> sslsocket.getOutputStream()) {
> >>                  byte[] buf = new byte[Helper.BUF_SIZE];
> >>                  Arrays.fill(buf, (byte) 1);
> >>                  for (int i = 0; i < Helper.BUF_COUNT; ++i) {
> >>                      outputstream.write(buf);
> >>                  }
> >>
> >>                  System.out.println("Using cipher suite: " +
> >> (sslsocket.getSession()).getCipherSuite());
> >>
> >>                  outputstream.flush();
> >>              }
> >>
> >>          } catch (IOException exception) {
> >>              exception.printStackTrace();
> >>          }
> >>      }
> >> }
> >>
> >> ///// Server.java
> >>
> >> package ssl;
> >>
> >> import javax.net.ssl.*;
> >> import java.io.*;
> >>
> >> public class Server {
> >>
> >>      public static void main(String[] arstring) {
> >>          try {
> >>              SSLServerSocketFactory sslserversocketfactory =
> >> (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
> >>              SSLServerSocket sslserversocket = (SSLServerSocket)
> >> sslserversocketfactory.createServerSocket(9999);
> >>              SSLSocket sslsocket = (SSLSocket) sslserversocket.accept();
> >>
> >>              InputStream inputstream = sslsocket.getInputStream();
> >>
> >>              byte[] buf = new byte[Helper.BUF_SIZE];
> >>              long bytesToRead = BYTES_TO_READ;
> >>
> >>              long startTime = System.currentTimeMillis();
> >>
> >>              while (bytesToRead > 0) {
> >>                  bytesToRead -= inputstream.read(buf);
> >>              }
> >>
> >>              long stopTime = System.currentTimeMillis();
> >>              long totalTimeMs = stopTime - startTime;
> >>              double mbRead = BYTES_TO_READ / (1024.0 * 1024);
> >>              double totalTimeSeconds = totalTimeMs / 1000.0;
> >>              double mibPerSecond = mbRead / totalTimeSeconds;
> >>
> >>              System.out.println("Using cipher suite: " +
> >> (sslsocket.getSession()).getCipherSuite());
> >>              System.out.println("Read " + mbRead + "MiB in " +
> >> totalTimeSeconds + "s");
> >>              System.out.println("Bandwidth: " + mibPerSecond + "MiB/s");
> >>
> >>          } catch (IOException exception) {
> >>              exception.printStackTrace();
> >>          }
> >>      }
> >>
> >>      private static final int BYTES_TO_READ = Helper.BUF_COUNT *
> >> Helper.BUF_SIZE;
> >> }
> >>
> >> ///// Helper.java
> >>
> >> package ssl;
> >>
> >> import java.util.*;
> >> import java.util.regex.*;
> >> import javax.net.ssl.*;
> >>
> >> public class Helper {
> >>
> >>      static int BUF_SIZE = 1024 * 1024;
> >>      static int BUF_COUNT = 100;
> >>
> >>      static SSLSocket requireAESCipherSuites(SSLSocket socket) {
> >>          String supportedCipherSuites[] =
> >> socket.getSupportedCipherSuites();
> >>
> >>          System.out.println("Supported cipher suite: " +
> >> Arrays.toString(supportedCipherSuites));
> >>
> >>          List<String> selectedCipherSuites = new ArrayList<>();
> >>
> >> //        String patternString = ".*";
> >>          String patternString =
> "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
> >> //        String patternString =
> >> "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
> >>
> >>          Pattern pattern = Pattern.compile(patternString);
> >>
> >>          for (String cipherSuite : supportedCipherSuites) {
> >>              Matcher matcher = pattern.matcher(cipherSuite);
> >>              if (matcher.find()) {
> >>                  selectedCipherSuites.add(cipherSuite);
> >>              }
> >>          }
> >>
> >>          System.out.println("Selected cipher suites: " +
> >> selectedCipherSuites);
> >>
> >>          socket.setEnabledCipherSuites(selectedCipherSuites.toArray(new
> >> String[0]));
> >>
> >>          return socket;
> >>      }
> >> }
> >>
>
>


-- 
Mark Christiaens
Ganzeplas 23
9880 Aalter
09 / 325 07 40
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/security-dev/attachments/20140127/3fa301cc/attachment-0001.html 


More information about the security-dev mailing list