OpenSSL Cipher Speed

mdaxini edited this page Oct 30, 2014 · 1 revision

OpenSSL Cipher Speed

OpenSSL offers a speed tool to test and compare cipher speeds. Machines with CPUs offering AES-NI support will see as much as 50% improvement in speed for some ciphers.

All the AWS instance types support AES-NI. Source AWS Instace Type Matrix.

To check AES-NI is supported on linux check for the aes cpu flag:

  • cat /proc/cpuinfo | grep aes

Cipher performance

With AES-NI enabled

	openssl speed -elapsed -evp aes-128-cbc

With disabled AES-NI

	OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc

Performance Results

Performance analysis environment:

  • AWS r3.xlarge instance
  • running Ubuntu 14.04 with
  • gcc - 4.8.2, and
  • OpenSSL version 1.0.1f (this version is immune to Heartbleed vulnerability.)

The tests for each input data size was performed for 3 seconds, for the ciphers that we were interested in, and with-and-without AES-NI support.

Cipher AES-NI Enabled 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc Yes 522138.77k 556844.12k 565751.21k 568527.19k 569161.05k
aes-128-cbc no 251155.07k 281797.40k 288457.39k 293490.01k 293360.98k
aes-128-gcm Yes 282247.11k 687515.58k 908669.27k 973724.33k 1000751.10k
aes-128-gcm no 72770.61k 83879.10k 193990.06k 180874.24k 211670.36k
aes-192-cbc Yes 441970.44k 466626.88k 472969.05k 474343.42k 475119.62k
aes-192-cbc no 218683.26k 237568.28k 243179.01k 245316.95k 245970.26k
aes-192-gcm Yes 243939.89k 650136.94k 855713.71k 930768.90k 944444.76k
aes-192-gcm no 64410.55k 73188.25k 177231.10k 191697.24k 194322.43k
aes-256-cbc Yes 383254.35k 401405.10k 406361.26k 407183.02k 407866.03k
aes-256-cbc no 190969.32k 205366.66k 206959.27k 209405.27k 210132.99k
aes-256-gcm Yes 232089.41k 606408.66k 797758.38k 858324.99k 870577.49k
aes-256-gcm no 58105.64k 64723.09k 166331.22k 179110.23k 182190.08k

Its evident that with AES-NI support it is possible to get good perormance with better security by choosing a GCM based cipher. The obeserved performace was consistently twice as fast compared to no AES-NI support.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.