OpenSSLのFIPS版とFIPS無しのパフォーマンス比較

提供: セキュリティ
2015年11月14日 (土) 17:27時点におけるDaemon (トーク | 投稿記録)による版 (ページの作成:「RedHat/CentOSのOpenSSLには、FIPSのパッチが入っていて、遅いようです。CentOS環境で、比較しました。 '''読み方''' ;OpenSSL:おー...」)

(差分) ←前の版 | 最新版 (差分) | 次の版→ (差分)
移動: 案内検索
スポンサーリンク

RedHat/CentOSのOpenSSLには、FIPSのパッチが入っていて、遅いようです。CentOS環境で、比較しました。

読み方

OpenSSL
おーぷん えすえすえる

概要

FIPS無しのOpenSSLが必要だったので、自分でビルドしました。 比較するバージョンが違っていますが、以下のバージョンを比較しました。

  • 自分でビルドした 1.0.1p
  • OpenSSL 1.0.1e-fips 11 Feb 2013

結論

自分でビルドした 1.0.1p のほうが 1.0.1e-fips よりと若干高速でした。

bytes 1.0.1p 1.0.1e-fips
16bytes 23636.25k 19477.13k
64bytes 51426.23k 58752.54k
256bytes 99728.59k 86939.11k
1024bytes 118058.43k 102855.30k
8192bytes 120578.76k 100640.73k

実験環境

  • VMware Player
  • CentOS 7

ビルド方法

tar zxfp openssl-1.0.1p.tar.gz
cd openssl-1.0.1p
sudo yum install zlib-devel
sh config zlib
make

ベンチマーク

OpenSSL 1.0.1p

$ env OPENSSL_CONF=$PWD/apps/openssl.cnf ./apps/openssl version
OpenSSL 1.0.1p 9 Jul 2015
$ env OPENSSL_CONF=$PWD/apps/openssl.cnf ./apps/openssl speed sha256
Doing sha256 for 3s on 16 size blocks: 3648846 sha256's in 2.47s
Doing sha256 for 3s on 64 size blocks: 1960625 sha256's in 2.44s
Doing sha256 for 3s on 256 size blocks: 973912 sha256's in 2.50s
Doing sha256 for 3s on 1024 size blocks: 296299 sha256's in 2.57s
Doing sha256 for 3s on 8192 size blocks: 35473 sha256's in 2.41s
OpenSSL 1.0.1p 9 Jul 2015
built on: Sat Nov 14 16:13:48 2015
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
-DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha256           23636.25k    51426.23k    99728.59k   118058.43k   120578.76k

OpenSSL 1.0.1e-fips

$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
$ openssl speed sha256
Doing sha256 for 3s on 16 size blocks: 2872877 sha256's in 2.36s
Doing sha256 for 3s on 64 size blocks: 2267481 sha256's in 2.47s
Doing sha256 for 3s on 256 size blocks: 862599 sha256's in 2.54s
Doing sha256 for 3s on 1024 size blocks: 243076 sha256's in 2.42s
Doing sha256 for 3s on 8192 size blocks: 29976 sha256's in 2.44s
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Mar 23 21:01:31 UTC 2015
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic
-Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
-DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM
-DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM
-DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha256           19477.13k    58752.54k    86939.11k   102855.30k   100640.73k

perf

1.0.1p

$ perf stat env OPENSSL_CONF=$PWD/apps/openssl.cnf ./apps/openssl speed sha256
Doing sha256 for 3s on 16 size blocks: 3772148 sha256's in 2.38s
Doing sha256 for 3s on 64 size blocks: 1972414 sha256's in 2.33s
Doing sha256 for 3s on 256 size blocks: 866078 sha256's in 2.37s
Doing sha256 for 3s on 1024 size blocks: 283361 sha256's in 2.57s
Doing sha256 for 3s on 8192 size blocks: 33218 sha256's in 2.42s
OpenSSL 1.0.1p 9 Jul 2015
built on: Sat Nov 14 16:13:48 2015
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
-DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha256           25358.98k    54177.90k    93551.04k   112903.37k   112447.05k
 
 Performance counter stats for 'env OPENSSL_CONF=/home/kaworu/tmp/openssl/openssl-1.0.1p/apps/openssl.cnf ./apps/openssl speed sha256':
 
      12098.084736      task-clock (msec)         #    0.803 CPUs utilized          
               527      context-switches          #    0.044 K/sec                  
                 0      cpu-migrations            #    0.000 K/sec                  
               737      page-faults               #    0.061 K/sec                  
   <not supported>      cycles                   
                 0      stalled-cycles-frontend   #    0.00% frontend cycles idle   
                 0      stalled-cycles-backend    #    0.00% backend  cycles idle   
   <not supported>      instructions             
   <not supported>      branches                 
   <not supported>      branch-misses            
 
      15.067666256 seconds time elapsed

FIPS

$ perf stat  openssl speed sha256
Doing sha256 for 3s on 16 size blocks: 3492088 sha256's in 2.29s
Doing sha256 for 3s on 64 size blocks: 2013046 sha256's in 2.38s
Doing sha256 for 3s on 256 size blocks: 927551 sha256's in 2.44s
Doing sha256 for 3s on 1024 size blocks: 259522 sha256's in 2.47s
Doing sha256 for 3s on 8192 size blocks: 33543 sha256's in 2.42s
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Mar 23 21:01:31 UTC 2015
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic
-Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
-DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM
-DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM
-DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha256           24398.87k    54132.33k    97316.83k   107591.31k   113547.21k
 
 Performance counter stats for 'openssl speed sha256':
 
      12032.697699      task-clock (msec)         #    0.794 CPUs utilized          
               691      context-switches          #    0.057 K/sec                  
                 0      cpu-migrations            #    0.000 K/sec                  
               763      page-faults               #    0.063 K/sec                  
   <not supported>      cycles                   
                 0      stalled-cycles-frontend   #    0.00% frontend cycles idle   
                 0      stalled-cycles-backend    #    0.00% backend  cycles idle   
   <not supported>      instructions             
   <not supported>      branches                 
   <not supported>      branch-misses            
 
      15.148459993 seconds time elapsed

関連項目




スポンサーリンク