Improving Security and Performance with Red Hat & Intel

Advanced Encryption Standard (AES)

What is it?

AES is a Federal Information Processing Standards (FIPS) approved cryptography algorithm (FIPS PUB 197). It is a symmetric-key algorithm. It uses the same cryptographic key for both encryption and decryption. Furthermore, it is a block cipher.

Where is it used?

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

SSL and TLS are cryptographic protocols that use an asymmetric key algorithm such as RSA for key encryption / decryption and a symmetric key algorithm such as AES for data encryption / decryption. HTTP Secure (HTTPS) is the result of layering the HTTP protocol over the SSL / TLS protocols.

Web Services

XML Encryption specifies the use of an asymmetric key algorithm such as RSA for key encryption / decryption and a symmetric key algorithm such as AES for data encryption / decryption.

Intel AES New Instructions (Intel AES-NI)

What is it?

Intel AES-NI is new instruction set that accelerates AES encryption / decryption by implementing computationally intensive steps of the AES algorithm. In addition, it improves the security of AES encryption / decryption by addressing the risk of side channel attacks associated with traditional software implementations since the instructions run in data independent time and do not use lookup tables.

Red Hat Enterprise Linux (RHEL) 6

RHEL 6 ships with an AES-NI enabled version of OpenSSL. documentation

RHEL 6 ships with an AES-NI enabled version of Mozilla Network Security Services (NSS). advisory

JBoss Enterprise Application Platform (EAP) 6

JBoss EAP 6 native components (RHEL 6 x86_64) can be installed and enabled to allow JBoss EAP 6 to use OpenSSL for HTTPS and thus benefit from AES-NI.

OpenJDK can be configured to use NSS via the Sun PKCS#11 provider and thus allow JBoss EAP 6 to perform AES-NI enabled encryption / decryption (e.g. XML Encryption).

Performance

Enabling AES-NI for AES encryption / decryption with OpenJDK and NSS results in a significant performance improvement.

  • Encryption is about 2 to 4x faster with NSS and AES-NI enabled than without NSS.
  • Decryption is about 10 to 20x faster with NSS and AES-NI enabled than without NSS.

Results (Andrew Hughes)

AES encryption and decryption is about 20% faster with NSS and AES-NI enabled than with NSS and AES-NI disabled with SPECjvm2008.

AES encryption and decryption is about 40% faster with NSS and AES-NI enabled than with NSS and AES-NI disabled with a Java application.

Results (Intel)

Additional Information

Intel AES New Instructions (Intel AES-NI) (HTML)

AES-NI with Red Hat Enterprise Linux

  • How to Provision a Linux Web Server for Intel AES-NI  (PDF)
  • Intel AES-NI Performance Testing on Linux / Java Stack (HTML)
, , , , , ,

About Shane K Johnson

Technical Marketing Manager, Red Hat Inc.

View all posts by Shane K Johnson

One Comment on “Improving Security and Performance with Red Hat & Intel”

  1. Andrew Hughes (@gnu_andrew_java) Says:

    Nice that you’ve spotted the work we did with OpenJDK/IcedTea & the AES instructions! However, the article is a little misleading in its layout. The Intel link contains the SPECjvm2008 results and mine with our little Java test application.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 118 other followers

%d bloggers like this: