<div dir="ltr">Silly me, forgot to mention that I'm working on Ubuntu, 64 bit, 13.10.<div><br></div><div>So, AES-CBC seems to be reasonably fast (100 MiB/s) but AES-GCM is slow (5.2 MiB/s). I'm particularly curious about the GCM one because I get the impression that OpenSSL should be able to reach in the GB/s for AES-GCM encryption/authentication. </div>
<div><br></div><div>Mark</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jan 27, 2014 at 3:19 PM, Xuelei Fan <span dir="ltr"><<a href="mailto:xuelei.fan@oracle.com" target="_blank">xuelei.fan@oracle.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">What's the platform are you using for the testing? Windows, Linux,<br>
Solaris or Mac OS? GCM are now only implemented in SunJCE provider. I<br>
want to make sure the crypto provider for AES-CBC, which is different<br>
for different platforms by default, is not the major cause of the<br>
performance impact.<br>
<br>
Thanks for the performance measure.<br>
<br>
Regards,<br>
Xuelei<br>
<div class="HOEnZb"><div class="h5"><br>
On 1/27/2014 5:34 PM, Chris Hegarty wrote:<br>
> Cross posting to security-dev, since the question cipher related.<br>
><br>
> -Chris.<br>
><br>
> On 27/01/14 09:28, Mark Christiaens wrote:<br>
>> I wrote a little test client/server setup that transfers 100 MB of data<br>
>> over an SSL socket configured to use TLS 1.2 AES GCM<br>
>> (TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256). On my i7-4770 CPU @ 3.40GHz<br>
>> with OpenJDK 1.8.0-ea-b124 I get a transfer rate of around 5.2<br>
>> MiB/second. I expected a higher speed. Using<br>
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 I reach 100 MiB/s. Is this to<br>
>> be expected?<br>
>><br>
>> For reference, here is my code:<br>
>><br>
>> ///// Client.java<br>
>><br>
>> package ssl;<br>
>><br>
>> import javax.net.ssl.*;<br>
>> import java.io.*;<br>
>> import java.util.Arrays;<br>
>><br>
>> public class Client {<br>
>><br>
>> public static void main(String[] arstring) {<br>
>> try {<br>
>> SSLSocketFactory sslsocketfactory = (SSLSocketFactory)<br>
>> SSLSocketFactory.getDefault();<br>
>> SSLSocket sslsocket = (SSLSocket)<br>
>> sslsocketfactory.createSocket("localhost", 9999);<br>
>> Helper.requireAESCipherSuites(sslsocket);<br>
>> sslsocket.setEnabledProtocols(new String[]{"TLSv1.2"});<br>
>><br>
>> try (OutputStream outputstream =<br>
>> sslsocket.getOutputStream()) {<br>
>> byte[] buf = new byte[Helper.BUF_SIZE];<br>
>> Arrays.fill(buf, (byte) 1);<br>
>> for (int i = 0; i < Helper.BUF_COUNT; ++i) {<br>
>> outputstream.write(buf);<br>
>> }<br>
>><br>
>> System.out.println("Using cipher suite: " +<br>
>> (sslsocket.getSession()).getCipherSuite());<br>
>><br>
>> outputstream.flush();<br>
>> }<br>
>><br>
>> } catch (IOException exception) {<br>
>> exception.printStackTrace();<br>
>> }<br>
>> }<br>
>> }<br>
>><br>
>> ///// Server.java<br>
>><br>
>> package ssl;<br>
>><br>
>> import javax.net.ssl.*;<br>
>> import java.io.*;<br>
>><br>
>> public class Server {<br>
>><br>
>> public static void main(String[] arstring) {<br>
>> try {<br>
>> SSLServerSocketFactory sslserversocketfactory =<br>
>> (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();<br>
>> SSLServerSocket sslserversocket = (SSLServerSocket)<br>
>> sslserversocketfactory.createServerSocket(9999);<br>
>> SSLSocket sslsocket = (SSLSocket) sslserversocket.accept();<br>
>><br>
>> InputStream inputstream = sslsocket.getInputStream();<br>
>><br>
>> byte[] buf = new byte[Helper.BUF_SIZE];<br>
>> long bytesToRead = BYTES_TO_READ;<br>
>><br>
>> long startTime = System.currentTimeMillis();<br>
>><br>
>> while (bytesToRead > 0) {<br>
>> bytesToRead -= inputstream.read(buf);<br>
>> }<br>
>><br>
>> long stopTime = System.currentTimeMillis();<br>
>> long totalTimeMs = stopTime - startTime;<br>
>> double mbRead = BYTES_TO_READ / (1024.0 * 1024);<br>
>> double totalTimeSeconds = totalTimeMs / 1000.0;<br>
>> double mibPerSecond = mbRead / totalTimeSeconds;<br>
>><br>
>> System.out.println("Using cipher suite: " +<br>
>> (sslsocket.getSession()).getCipherSuite());<br>
>> System.out.println("Read " + mbRead + "MiB in " +<br>
>> totalTimeSeconds + "s");<br>
>> System.out.println("Bandwidth: " + mibPerSecond + "MiB/s");<br>
>><br>
>> } catch (IOException exception) {<br>
>> exception.printStackTrace();<br>
>> }<br>
>> }<br>
>><br>
>> private static final int BYTES_TO_READ = Helper.BUF_COUNT *<br>
>> Helper.BUF_SIZE;<br>
>> }<br>
>><br>
>> ///// Helper.java<br>
>><br>
>> package ssl;<br>
>><br>
>> import java.util.*;<br>
>> import java.util.regex.*;<br>
>> import javax.net.ssl.*;<br>
>><br>
>> public class Helper {<br>
>><br>
>> static int BUF_SIZE = 1024 * 1024;<br>
>> static int BUF_COUNT = 100;<br>
>><br>
>> static SSLSocket requireAESCipherSuites(SSLSocket socket) {<br>
>> String supportedCipherSuites[] =<br>
>> socket.getSupportedCipherSuites();<br>
>><br>
>> System.out.println("Supported cipher suite: " +<br>
>> Arrays.toString(supportedCipherSuites));<br>
>><br>
>> List<String> selectedCipherSuites = new ArrayList<>();<br>
>><br>
>> // String patternString = ".*";<br>
>> String patternString = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";<br>
>> // String patternString =<br>
>> "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";<br>
>><br>
>> Pattern pattern = Pattern.compile(patternString);<br>
>><br>
>> for (String cipherSuite : supportedCipherSuites) {<br>
>> Matcher matcher = pattern.matcher(cipherSuite);<br>
>> if (matcher.find()) {<br>
>> selectedCipherSuites.add(cipherSuite);<br>
>> }<br>
>> }<br>
>><br>
>> System.out.println("Selected cipher suites: " +<br>
>> selectedCipherSuites);<br>
>><br>
>> socket.setEnabledCipherSuites(selectedCipherSuites.toArray(new<br>
>> String[0]));<br>
>><br>
>> return socket;<br>
>> }<br>
>> }<br>
>><br>
<br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Mark Christiaens<br>Ganzeplas 23<br>9880 Aalter<br>09 / 325 07 40
</div>