AES_GCM和AES_CCM的选择

发布于 2022-09-05 22:15:08 字数 6584 浏览 94 评论 0

最近在研究nginx的ssl_ciphers,发现服务器普遍使用AES_GCM作为cipher,但我用openssl speed测试发现:其实AES_CCM的处理速度占优,比AES_GCM快两个数量级.

AES_GCMAES_CCM又提供了同等级的安全性,基于什么考虑选择AES_GCM呢?

⋊> ~ openssl speed -elapsed -evp aes-128-gcm                                                                                                                                          12:01:25
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-gcm for 3s on 16 size blocks: 97979075 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 64 size blocks: 59422372 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 256 size blocks: 29006722 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 1024 size blocks: 11353862 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 8192 size blocks: 1765209 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 16384 size blocks: 895929 aes-128-gcm's in 3.00s
OpenSSL 1.1.1-dev  xx XXX xxxx
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) 
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-1.1\""  -Wa,--noexecstack
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-gcm     522555.07k  1267677.27k  2475240.28k  3875451.56k  4820197.38k  4892966.91k

⋊> ~ openssl speed -elapsed -evp aes-128-ccm                                                                                                                                          12:01:45
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-ccm for 3s on 16 size blocks: 119658614 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 64 size blocks: 119826773 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 256 size blocks: 119907412 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 1024 size blocks: 120247420 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 8192 size blocks: 119976321 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 16384 size blocks: 120088122 aes-128-ccm's in 3.00s
OpenSSL 1.1.1-dev  xx XXX xxxx
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) 
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-1.1\""  -Wa,--noexecstack
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-ccm     638179.27k  2556304.49k 10232099.16k 41044452.69k 327615340.54k 655841263.62k

⋊> ~ openssl speed -decrypt -elapsed -evp aes-128-gcm                                                                                                                                 12:08:04
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-gcm for 3s on 16 size blocks: 81282951 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 64 size blocks: 59261806 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 256 size blocks: 30926527 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 1024 size blocks: 11984041 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 8192 size blocks: 1795430 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 16384 size blocks: 906534 aes-128-gcm's in 3.00s
OpenSSL 1.1.1-dev  xx XXX xxxx
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) 
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-1.1\""  -Wa,--noexecstack
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-gcm     433509.07k  1264251.86k  2639063.64k  4090552.66k  4902720.85k  4950884.35k

⋊> ~ openssl speed -decrypt -elapsed -evp aes-128-ccm                                                                                                                                 12:07:32
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-ccm for 3s on 16 size blocks: 235354888 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 64 size blocks: 234594124 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 256 size blocks: 236230823 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 1024 size blocks: 235920946 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 8192 size blocks: 236134945 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 16384 size blocks: 236273795 aes-128-ccm's in 3.00s
OpenSSL 1.1.1-dev  xx XXX xxxx
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) 
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-1.1\""  -Wa,--noexecstack
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-ccm    1255226.07k  5004674.65k 20158363.56k 80527682.90k 644805823.15k 1290369952.43k

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

ぃ弥猫深巷。 2022-09-12 22:15:08

你要知道安全性是和速度成反比的,加解密速度越快越容易被破解

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文