If what you want is simply encrypt and decrypt files using command-line
openssl executable, then you don't need to play with engine or evp options.
"openssl enc" uses the EVP interface, which in turn will make use of
AES-NI instructions if available (or SSE3, SSE2, SSE, anything available
on the runtime platform to speed it up).
--
Erwann ABALEA
Le 13/03/2013 18:07, Ewen Chan a écrit :
Yea, I've tried reading the man pages, but it doesn't list all of the
options available on there (which would tend to indicate that it is a
little behind compared to the development and released versions of
OpenSSL).
Do you need the '-evp' flag to use '-engine aesni' or they operate
independent of each other?
And if I'm not planning on coding with the OpenSSL library, but rather
just using it to encrypt/decrypt files on my system; then I don't need
the '-evp' flag correct?
On Wed, Mar 13, 2013 at 12:56 PM, Erwann Abalea
<erwann.aba...@keynectis.com> wrote:
Le 13/03/2013 17:17, Ewen Chan a écrit :
I'm quite new to openSSL and AES and cryptography as a whole, so
please forgive my "stupid" questions.
You then may start by reading the different manpages, then. OpenSSL is a
large beast, and you won't do anything useful without reading.
I've read that because of the way that the AES-CBC works that it
depends on the result from the previous round in order to encrypt the
current round that it is inherently not well suited for
parallelization; which I am then guessing that it is very possible
that it would run (a LOT) slower on GPGPU than it would on an AES-NI
enabled CPU. Would that be a fair and safe assumption?
That's right.
You can achieve better performance with CTR mode, for example. But even
there, I doubt you can beat AES-NI.
I'm also looking online and through the man pages and it seems like
that people are invoking the aesni by using the command:
openssl -engine aesni -evp aes-256-cbc ...
what's the '-evp' flag for?
It means "use the EVP interface". EVP is a higher level interface to
cryptographic primitives. In the case of AES, it can make use of AES-NI
instructions if available. That's useful only if you plan to code using the
OpenSSL library.
On Wed, Mar 13, 2013 at 12:12 PM, Erwann Abalea
<erwann.aba...@keynectis.com> wrote:
GPGPU isn't natively supported. You can write your own engine if you
want,
but I think memory transfers will dominate the cost.
AES-NI is natively supported (I get about 550MB/s on my i5 M540 @2.53 GHz
for 8k blocks).
--
Erwann ABALEA
Le 13/03/2013 16:49, Ewen Chan a écrit :
Would it be faster to encrypt/decrypt AES-256-CBC with an AES-NI
enabled CPU or would it faster do it with a GPGPU?
Does OpenSSL even support GPU acceleration?
On Wed, Mar 13, 2013 at 11:44 AM, Ewen Chan <chan.e...@gmail.com> wrote:
Thanks.
On Wed, Mar 13, 2013 at 10:56 AM, Erwann Abalea
<erwann.aba...@keynectis.com> wrote:
The algorithm "Rijndael" has some knobs you can turn to tune.
The standard "AES" has these parameters fixed in stone.
AES-192 is effectively "less secure" than AES-256 because of the key
length
and number of rounds.
But "less secure" may be "secure enough". In fact, AES-128 is secure
enough
for most uses.
Number of rounds is important for AES security as it is for any other
algorithm (think about attacks on reduced-rounds AES/SHA/whatever).
--
Erwann ABALEA
Le 13/03/2013 15:31, Ewen Chan a écrit :
So the algorithms include the number of rounds? I thought that it
would only describe the math process and that it would be independent
of the number of rounds (so long as you meed Rijndael's "minimum" -
which is what the current number of rounds is set/default as).
I did not know that. Hmmm....thanks.
Does this mean that a AES-192-CBC is less secure than an AES-256-CBC
because of the key length and the number of rounds associated with
that; or am I understanding that wrong - that the number of rounds
has
less-so to do with the security of the algorithm compared to the key
length?
On Wed, Mar 13, 2013 at 10:24 AM, Erwann Abalea
<erwann.aba...@keynectis.com> wrote:
If you change the number of rounds, then it's not AES anymore, but a
custom
Rijndael.
Reading the source code, it appears there's no support for that in
OpenSSL
(and poking inside an AES_KEY to change the number of rounds
probably
won't
work).
--
Erwann ABALEA
Le 13/03/2013 14:32, Ewen Chan a écrit :
There's a file that I want to encrypt using AES-192-CBC but with 19
rounds rather than the default 12-rounds.
Is there a way for me to specify the number of rounds that I would
like to use with the AES-192-CBC? (and override the algorithm
defaults)?
Is that something that I can within the openssl command itself (to
encrypt a file) or is the process much more involved than that? And
requires programming/scripting?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
