Improving Security and Performance with Red Hat & Intel

Jul 26, 2012 3:04 PM, Shane K Johnson [ Original post ]
Previous Next

Advanced Encryption Standard (AES)

What is it?

AES is a Federal Information Processing Standards (FIPS) approved cryptography algorithm (FIPS PUB 197). It is a symmetric-key algorithm. It uses the same cryptographic key for both encryption and decryption. Furthermore, it is a block cipher.

Where is it used?

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

SSL and TLS are cryptographic protocols that use an asymmetric key algorithm such as RSA for key encryption / decryption and a symmetric key algorithm such as AES for data encryption / decryption. HTTP Secure (HTTPS) is the result of layering the HTTP protocol over the SSL / TLS protocols.

Web Services

XML Encryption specifies the use of an asymmetric key algorithm such as RSA for key encryption / decryption and a symmetric key algorithm such as AES for data encryption / decryption.

Intel AES New Instructions (Intel AES-NI)

What is it?

Intel AES-NI is new instruction set that accelerates AES encryption / decryption by implementing computationally intensive steps of the AES algorithm. In addition, it improves the security of AES encryption / decryption by addressing the risk of side channel attacks associated with traditional software implementations since the instructions run in data independent time and do not use lookup tables.

Red Hat Enterprise Linux (RHEL) 6

RHEL 6 ships with an AES-NI enabled version of OpenSSL. documentation

RHEL 6 ships with an AES-NI enabled version of Mozilla Network Security Services (NSS). advisory

JBoss Enterprise Application Platform (EAP) 6

JBoss EAP 6 native components (RHEL 6 x86_64) can be installed and enabled to allow JBoss EAP 6 to use OpenSSL for HTTPS and thus benefit from AES-NI.

OpenJDK can be configured to use NSS via the Sun PKCS#11 provider and thus allow JBoss EAP 6 to perform AES-NI enabled encryption / decryption (e.g. XML Encryption).

Performance

Enabling AES-NI for AES encryption / decryption with OpenJDK and NSS results in a significant performance improvement.

  • Encryption is about 2 to 4x faster with NSS and AES-NI enabled than without NSS.
  • Decryption is about 10 to 20x faster with NSS and AES-NI enabled than without NSS.

Results (Andrew Hughes)

AES encryption and decryption is about 20% faster with NSS and AES-NI enabled than with NSS and AES-NI disabled with SPECjvm2008.

AES encryption and decryption is about 40% faster with NSS and AES-NI enabled than with NSS and AES-NI disabled with a Java application.

Results (Intel)

Additional Information

Intel AES New Instructions (Intel AES-NI) (HTML)

AES-NI with Red Hat Enterprise Linux

  • How to Provision a Linux Web Server for Intel AES-NIĀ  (PDF)
  • Intel AES-NI Performance Testing on Linux / Java Stack (HTML)