AES GCM slow

Xuelei Fan xuelei.fan at oracle.com
Mon Jan 27 06:19:17 PST 2014 

What's the platform are you using for the testing?  Windows, Linux,
Solaris or Mac OS?  GCM are now only implemented in SunJCE provider.  I
want to make sure the crypto provider for AES-CBC, which is different
for different platforms by default, is not the major cause of the
performance impact.

Thanks for the performance measure.

Regards,
Xuelei

On 1/27/2014 5:34 PM, Chris Hegarty wrote:
> Cross posting to security-dev, since the question cipher related.
> 
> -Chris.
> 
> On 27/01/14 09:28, Mark Christiaens wrote:
>> I wrote  a little test client/server setup that transfers 100 MB of data
>> over an SSL socket configured to use TLS 1.2 AES GCM
>> (TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256).  On my i7-4770 CPU @ 3.40GHz
>> with OpenJDK 1.8.0-ea-b124 I get a transfer rate of around 5.2
>> MiB/second.  I expected a higher speed.  Using
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 I reach 100 MiB/s.  Is this to
>> be expected?
>>
>> For reference, here is my code:
>>
>> ///// Client.java
>>
>> package ssl;
>>
>> import javax.net.ssl.*;
>> import java.io.*;
>> import java.util.Arrays;
>>
>> public class Client {
>>
>>      public static void main(String[] arstring) {
>>          try {
>>              SSLSocketFactory sslsocketfactory = (SSLSocketFactory)
>> SSLSocketFactory.getDefault();
>>              SSLSocket sslsocket = (SSLSocket)
>> sslsocketfactory.createSocket("localhost", 9999);
>>              Helper.requireAESCipherSuites(sslsocket);
>>              sslsocket.setEnabledProtocols(new String[]{"TLSv1.2"});
>>
>>              try (OutputStream outputstream =
>> sslsocket.getOutputStream()) {
>>                  byte[] buf = new byte[Helper.BUF_SIZE];
>>                  Arrays.fill(buf, (byte) 1);
>>                  for (int i = 0; i < Helper.BUF_COUNT; ++i) {
>>                      outputstream.write(buf);
>>                  }
>>
>>                  System.out.println("Using cipher suite: " +
>> (sslsocket.getSession()).getCipherSuite());
>>
>>                  outputstream.flush();
>>              }
>>
>>          } catch (IOException exception) {
>>              exception.printStackTrace();
>>          }
>>      }
>> }
>>
>> ///// Server.java
>>
>> package ssl;
>>
>> import javax.net.ssl.*;
>> import java.io.*;
>>
>> public class Server {
>>
>>      public static void main(String[] arstring) {
>>          try {
>>              SSLServerSocketFactory sslserversocketfactory =
>> (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
>>              SSLServerSocket sslserversocket = (SSLServerSocket)
>> sslserversocketfactory.createServerSocket(9999);
>>              SSLSocket sslsocket = (SSLSocket) sslserversocket.accept();
>>
>>              InputStream inputstream = sslsocket.getInputStream();
>>
>>              byte[] buf = new byte[Helper.BUF_SIZE];
>>              long bytesToRead = BYTES_TO_READ;
>>
>>              long startTime = System.currentTimeMillis();
>>
>>              while (bytesToRead > 0) {
>>                  bytesToRead -= inputstream.read(buf);
>>              }
>>
>>              long stopTime = System.currentTimeMillis();
>>              long totalTimeMs = stopTime - startTime;
>>              double mbRead = BYTES_TO_READ / (1024.0 * 1024);
>>              double totalTimeSeconds = totalTimeMs / 1000.0;
>>              double mibPerSecond = mbRead / totalTimeSeconds;
>>
>>              System.out.println("Using cipher suite: " +
>> (sslsocket.getSession()).getCipherSuite());
>>              System.out.println("Read " + mbRead + "MiB in " +
>> totalTimeSeconds + "s");
>>              System.out.println("Bandwidth: " + mibPerSecond + "MiB/s");
>>
>>          } catch (IOException exception) {
>>              exception.printStackTrace();
>>          }
>>      }
>>
>>      private static final int BYTES_TO_READ = Helper.BUF_COUNT *
>> Helper.BUF_SIZE;
>> }
>>
>> ///// Helper.java
>>
>> package ssl;
>>
>> import java.util.*;
>> import java.util.regex.*;
>> import javax.net.ssl.*;
>>
>> public class Helper {
>>
>>      static int BUF_SIZE = 1024 * 1024;
>>      static int BUF_COUNT = 100;
>>
>>      static SSLSocket requireAESCipherSuites(SSLSocket socket) {
>>          String supportedCipherSuites[] =
>> socket.getSupportedCipherSuites();
>>
>>          System.out.println("Supported cipher suite: " +
>> Arrays.toString(supportedCipherSuites));
>>
>>          List<String> selectedCipherSuites = new ArrayList<>();
>>
>> //        String patternString = ".*";
>>          String patternString = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
>> //        String patternString =
>> "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
>>
>>          Pattern pattern = Pattern.compile(patternString);
>>
>>          for (String cipherSuite : supportedCipherSuites) {
>>              Matcher matcher = pattern.matcher(cipherSuite);
>>              if (matcher.find()) {
>>                  selectedCipherSuites.add(cipherSuite);
>>              }
>>          }
>>
>>          System.out.println("Selected cipher suites: " +
>> selectedCipherSuites);
>>
>>          socket.setEnabledCipherSuites(selectedCipherSuites.toArray(new
>> String[0]));
>>
>>          return socket;
>>      }
>> }
>>

More information about the net-dev mailing list