-
Notifications
You must be signed in to change notification settings - Fork 7
OpenSSL Cipher Speed
mdaxini edited this page Oct 30, 2014
·
1 revision
OpenSSL offers a speed tool to test and compare cipher speeds. Machines with CPUs offering AES-NI support will see as much as 50% improvement in speed for some ciphers.
All the AWS instance types support AES-NI. Source AWS Instace Type Matrix.
To check AES-NI is supported on linux check for the aes cpu flag:
cat /proc/cpuinfo | grep aes
With AES-NI enabled
openssl speed -elapsed -evp aes-128-cbc
With disabled AES-NI
OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc
Performance analysis environment:
- AWS r3.xlarge instance
- running Ubuntu 14.04 with
- gcc - 4.8.2, and
- OpenSSL version 1.0.1f (this version is immune to Heartbleed vulnerability.)
The tests for each input data size was performed for 3 seconds, for the ciphers that we were interested in, and with-and-without AES-NI support.
| Cipher | AES-NI Enabled | 16 bytes | 64 bytes | 256 bytes | 1024 bytes | 8192 bytes |
|---|---|---|---|---|---|---|
| aes-128-cbc | Yes | 522138.77k | 556844.12k | 565751.21k | 568527.19k | 569161.05k |
| aes-128-cbc | no | 251155.07k | 281797.40k | 288457.39k | 293490.01k | 293360.98k |
| aes-128-gcm | Yes | 282247.11k | 687515.58k | 908669.27k | 973724.33k | 1000751.10k |
| aes-128-gcm | no | 72770.61k | 83879.10k | 193990.06k | 180874.24k | 211670.36k |
| aes-192-cbc | Yes | 441970.44k | 466626.88k | 472969.05k | 474343.42k | 475119.62k |
| aes-192-cbc | no | 218683.26k | 237568.28k | 243179.01k | 245316.95k | 245970.26k |
| aes-192-gcm | Yes | 243939.89k | 650136.94k | 855713.71k | 930768.90k | 944444.76k |
| aes-192-gcm | no | 64410.55k | 73188.25k | 177231.10k | 191697.24k | 194322.43k |
| aes-256-cbc | Yes | 383254.35k | 401405.10k | 406361.26k | 407183.02k | 407866.03k |
| aes-256-cbc | no | 190969.32k | 205366.66k | 206959.27k | 209405.27k | 210132.99k |
| aes-256-gcm | Yes | 232089.41k | 606408.66k | 797758.38k | 858324.99k | 870577.49k |
| aes-256-gcm | no | 58105.64k | 64723.09k | 166331.22k | 179110.23k | 182190.08k |
Its evident that with AES-NI support it is possible to get good perormance with better security by choosing a GCM based cipher. The obeserved performace was consistently twice as fast compared to no AES-NI support.