[AusNOG] Experiences with web load balancers
Glen Turner
gdt at gdt.id.au
Tue Feb 23 15:40:59 EST 2010
On 2010-02-10 Mark Smith wrote:
> Do you have any references to performance comparisons? I'm not sure I
> could see any reason for Intel to add them into their CPUs unless these
> crypto instructions were pretty competitive with other hardware
> implementations.
The paper at:
<http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-aes-instructions-set/>
says using Intel's AES-NI instructions is 2-3 times faster than a fast-but-insecure
algorithm using other CPU instructions to implement AES in CBC mode.
Testing by others on real-world data is consistent with Intel's numbers, although
synthetic benchmarks tend to give a much higher speedup, typically 6-10x. These
numbers are consistent with the experience of VIA's Padlock AES instructions.
My interpretation of the results in the paper are that the performance of the
instructions beyond the 2-3 speedup is limited by delays fetching data from
memory.
A big advantage of using hardware instructions is that software implementations
are gaining complexity and becoming slower to counter covert channel attacks
(timing, cache hits, power, etc). It is plain that Intel have taken care to ensure
that their hardware implementation does not suffer from these.
I would expect an offload card that takes the same care with covert channels
to be slower -- that is, to easily hit memory prefetch and then be limited by
memory-device bandwidth -- the CPU getting the edge because of it's higher memory
bandwidth. A offload card could still win where it is incorporated in a device
that has to DMA the data anyway, such as a network interface card or RAID
controller.
Note carefully that the hardest part of operating a cryptosystem is not running
the algorithm but handling the keys. CPUs currently have poor privacy for keys,
so there's plenty of scope for an offload card to do a better job.
The Intel AES-NI instructions do not include a random number generator, unlike
VIA's Padlock. Hopefully Intel will provide that as part of a chipset, to improve
the resilience of CPUs to covert channel attacks on session keys.
--
Glen Turner <http://www.gdt.id.au/~gdt/>
More information about the AusNOG
mailing list