Yea, I've tried reading the man pages, but it doesn't list all of the options available on there (which would tend to indicate that it is a little behind compared to the development and released versions of OpenSSL).
Do you need the '-evp' flag to use '-engine aesni' or they operate independent of each other? And if I'm not planning on coding with the OpenSSL library, but rather just using it to encrypt/decrypt files on my system; then I don't need the '-evp' flag correct? On Wed, Mar 13, 2013 at 12:56 PM, Erwann Abalea <erwann.aba...@keynectis.com> wrote: > Le 13/03/2013 17:17, Ewen Chan a écrit : > >> I'm quite new to openSSL and AES and cryptography as a whole, so >> please forgive my "stupid" questions. > > > You then may start by reading the different manpages, then. OpenSSL is a > large beast, and you won't do anything useful without reading. > > >> I've read that because of the way that the AES-CBC works that it >> depends on the result from the previous round in order to encrypt the >> current round that it is inherently not well suited for >> parallelization; which I am then guessing that it is very possible >> that it would run (a LOT) slower on GPGPU than it would on an AES-NI >> enabled CPU. Would that be a fair and safe assumption? > > > That's right. > You can achieve better performance with CTR mode, for example. But even > there, I doubt you can beat AES-NI. > > >> I'm also looking online and through the man pages and it seems like >> that people are invoking the aesni by using the command: >> >> openssl -engine aesni -evp aes-256-cbc ... >> >> what's the '-evp' flag for? > > > It means "use the EVP interface". EVP is a higher level interface to > cryptographic primitives. In the case of AES, it can make use of AES-NI > instructions if available. That's useful only if you plan to code using the > OpenSSL library. > > >> On Wed, Mar 13, 2013 at 12:12 PM, Erwann Abalea >> <erwann.aba...@keynectis.com> wrote: >>> >>> GPGPU isn't natively supported. You can write your own engine if you >>> want, >>> but I think memory transfers will dominate the cost. >>> AES-NI is natively supported (I get about 550MB/s on my i5 M540 @2.53 GHz >>> for 8k blocks). >>> >>> -- >>> Erwann ABALEA >>> >>> Le 13/03/2013 16:49, Ewen Chan a écrit : >>>> >>>> Would it be faster to encrypt/decrypt AES-256-CBC with an AES-NI >>>> enabled CPU or would it faster do it with a GPGPU? >>>> >>>> Does OpenSSL even support GPU acceleration? >>>> >>>> On Wed, Mar 13, 2013 at 11:44 AM, Ewen Chan <chan.e...@gmail.com> wrote: >>>>> >>>>> Thanks. >>>>> >>>>> On Wed, Mar 13, 2013 at 10:56 AM, Erwann Abalea >>>>> <erwann.aba...@keynectis.com> wrote: >>>>>> >>>>>> The algorithm "Rijndael" has some knobs you can turn to tune. >>>>>> The standard "AES" has these parameters fixed in stone. >>>>>> >>>>>> AES-192 is effectively "less secure" than AES-256 because of the key >>>>>> length >>>>>> and number of rounds. >>>>>> But "less secure" may be "secure enough". In fact, AES-128 is secure >>>>>> enough >>>>>> for most uses. >>>>>> Number of rounds is important for AES security as it is for any other >>>>>> algorithm (think about attacks on reduced-rounds AES/SHA/whatever). >>>>>> >>>>>> -- >>>>>> Erwann ABALEA >>>>>> >>>>>> Le 13/03/2013 15:31, Ewen Chan a écrit : >>>>>> >>>>>>> So the algorithms include the number of rounds? I thought that it >>>>>>> would only describe the math process and that it would be independent >>>>>>> of the number of rounds (so long as you meed Rijndael's "minimum" - >>>>>>> which is what the current number of rounds is set/default as). >>>>>>> >>>>>>> I did not know that. Hmmm....thanks. >>>>>>> >>>>>>> Does this mean that a AES-192-CBC is less secure than an AES-256-CBC >>>>>>> because of the key length and the number of rounds associated with >>>>>>> that; or am I understanding that wrong - that the number of rounds >>>>>>> has >>>>>>> less-so to do with the security of the algorithm compared to the key >>>>>>> length? >>>>>>> >>>>>>> On Wed, Mar 13, 2013 at 10:24 AM, Erwann Abalea >>>>>>> <erwann.aba...@keynectis.com> wrote: >>>>>>>> >>>>>>>> If you change the number of rounds, then it's not AES anymore, but a >>>>>>>> custom >>>>>>>> Rijndael. >>>>>>>> Reading the source code, it appears there's no support for that in >>>>>>>> OpenSSL >>>>>>>> (and poking inside an AES_KEY to change the number of rounds >>>>>>>> probably >>>>>>>> won't >>>>>>>> work). >>>>>>>> >>>>>>>> -- >>>>>>>> Erwann ABALEA >>>>>>>> >>>>>>>> Le 13/03/2013 14:32, Ewen Chan a écrit : >>>>>>>> >>>>>>>>> There's a file that I want to encrypt using AES-192-CBC but with 19 >>>>>>>>> rounds rather than the default 12-rounds. >>>>>>>>> >>>>>>>>> Is there a way for me to specify the number of rounds that I would >>>>>>>>> like to use with the AES-192-CBC? (and override the algorithm >>>>>>>>> defaults)? >>>>>>>>> >>>>>>>>> Is that something that I can within the openssl command itself (to >>>>>>>>> encrypt a file) or is the process much more involved than that? And >>>>>>>>> requires programming/scripting? >>>>>>>> >>>>>>>> >>>> ______________________________________________________________________ >>>> OpenSSL Project http://www.openssl.org >>>> User Support Mailing List openssl-users@openssl.org >>>> Automated List Manager majord...@openssl.org >>>> > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
