Hello all,
I've searched the archives and couldn't find anything related, so I'm posting here for some help/advice; Basically, I have a a machine that is going in to production as an SSL based VPN server (openvpn on amd64 openbsd port to be precise) and I was trying to determine which cipher to use to get the best balance of speed and security (key size ?). The server has an AMD Sempron 64 bit CPU running at 1.6ghz, I was particularly interested in aes-256-cbc, after some reaserch, so I ran some tests on the box (all tests where when the server were 99% idle); ==================================================================== # openssl speed -evp aes-256-cbc To get the most accurate results, try to run this program when this computer is idle. Doing aes-256-cbc for 3s on 16 size blocks: 9862366 aes-256-cbc's in 3.00s Doing aes-256-cbc for 3s on 64 size blocks: 2654800 aes-256-cbc's in 3.01s Doing aes-256-cbc for 3s on 256 size blocks: 682695 aes-256-cbc's in 3.01s Doing aes-256-cbc for 3s on 1024 size blocks: 171871 aes-256-cbc's in 3.01s Doing aes-256-cbc for 3s on 8192 size blocks: 21527 aes-256-cbc's in 3.01s OpenSSL 0.9.7g 11 Apr 2005 built on: date not available options:bn(64,64) md2(int) rc4(ptr,int) des(ptr,risc2,4,int) aes(partial) blowfish(idx) compiler: information not available available timing options: USE_TOD HZ=100 [sysconf value] timing function used: getrusage The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 52599.29k 56488.64k 58105.31k 58512.93k 58630.37k ==================================================================== I have a few questions regarding the test; 1) Does the part that states "numbers are in 1000s of bytes per second" mean that the figures below have still to be translated in to 'human readable' quantities ? or has that already been performed. I'm guessing it has already been performed mainly due to the 'k' on the end, however I could be very wrong. 2) This seems, to the novice in me, to be a fairly well balance cipher to use on this kit as the rate seems to be close regardless of block size. Does the blocksize roughly equate to network packets in an SSL VPN scenario ? I also have a 2ghz amd athlon 64 3200+ which happens to have a hifn crypto PCI card in it, exact same Openbsd 3.8 OS; ==================================================================== # dmesg |grep hifn hifn0 at pci0 dev 9 function 0 "Hifn 7955/7954" rev 0x00: LZS 3DES ARC4 MD5 SHA1 RNG AES PK, 32KB dram, irq 11 ==================================================================== So I thought I'd run the same test on it to see how much faster the hifn card is; ==================================================================== # openssl speed -evp aes-256-cbc To get the most accurate results, try to run this program when this computer is idle. Doing aes-256-cbc for 3s on 16 size blocks: 40467 aes-256-cbc's in 0.02s Doing aes-256-cbc for 3s on 64 size blocks: 40014 aes-256-cbc's in 0.00s Doing aes-256-cbc for 3s on 256 size blocks: 38356 aes-256-cbc's in 0.00s Doing aes-256-cbc for 3s on 1024 size blocks: 29925 aes-256-cbc's in 0.02s Doing aes-256-cbc for 3s on 8192 size blocks: 9659 aes-256-cbc's in 0.00s OpenSSL 0.9.7g 11 Apr 2005 built on: date not available options:bn(64,64) md2(int) rc4(ptr,int) des(ptr,risc2,4,int) aes(partial) blowfish(idx) compiler: information not available available timing options: USE_TOD HZ=100 [sysconf value] timing function used: getrusage The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 41438.21k 2560896.00k 9819136.00k 1961164.80k 79126528.00k ==================================================================== Questions; 1) why does it mention that it is running for 3 seconds but then state a fraction of that in the last colum (elapsed time ?) ? 2) notice that the non-accelated box processed ~ 21000 8kb blocks in 3 seconds yet the accelerated box reckons in did 9659 of the same size blocks in 0.00 seconds. Can I force the speed test to run for 3 seconds ? Sometimes the accelerated test results are like this; ==================================================================== # openssl speed -evp aes-256-cbc To get the most accurate results, try to run this program when this computer is idle. Doing aes-256-cbc for 3s on 16 size blocks: 40601 aes-256-cbc's in 0.02s Doing aes-256-cbc for 3s on 64 size blocks: 39915 aes-256-cbc's in 0.02s Doing aes-256-cbc for 3s on 256 size blocks: 38326 aes-256-cbc's in 0.02s Doing aes-256-cbc for 3s on 1024 size blocks: 29922 aes-256-cbc's in 0.00s Doing aes-256-cbc for 3s on 8192 size blocks: 9682 aes-256-cbc's in 0.01s OpenSSL 0.9.7g 11 Apr 2005 built on: date not available options:bn(64,64) md2(int) rc4(ptr,int) des(ptr,risc2,4,int) aes(partial) blowfish(idx) compiler: information not available available timing options: USE_TOD HZ=100 [sysconf value] timing function used: getrusage The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 41575.42k 163491.84k 418613.19k 30640128.00k 10152962.62k ==================================================================== notice the 8k blocks took 0.01 seconds this time and the rate drops from ~79 million to ~10 million. what better ways are there to test this sort of thing ? I dont know if any of this is a big deal, but I'm curious nonetheless as I'm trying to determine whether it is worth equipping each VPN box with a hifn card before deploying. Any help or advice appreciated. Cheers, Brian. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
