Date: Thu, 17 Jan 2008 15:47:12 +0100 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Cyrus Rahman <crahman@gmail.com> Cc: freebsd-geom@freebsd.org Subject: Re: Authentication with geom_eli Message-ID: <20080117144712.GH8820@garage.freebsd.pl> In-Reply-To: <9e77bdb50801170615l3ff6f6bbo97ade8b4471dc7b0@mail.gmail.com> References: <9e77bdb50801160832p39619f1fm85bf1454fead3357@mail.gmail.com> <9e77bdb50801170615l3ff6f6bbo97ade8b4471dc7b0@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Ucgz5Oc/kKURWzXs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 17, 2008 at 07:15:26AM -0700, Cyrus Rahman wrote: > Here are some timings related to different encryption and > authentication algorithms. Although the authentication involves extra > copying and additional data being written to disk, it is clear the > algorithm is also quite significant. >=20 > The system is a quad processor Q6600 running at 2.4GHz with mid-range > SATA disks. >=20 > Given the considerable performance hit and the fact that for most > applications the only viable and useful authentication attacks I can > think of would involve replay, which is not detected in the current > implementation, I think there is a clear benefit to an algorithm like > a CRC to provide data integrity at a lower cost. >=20 > But I also agree that the ideal place for a CRC style check would be > in a separate geom layer. >=20 > Baseline: > dd if=3D/dev/random of=3D/dev/mirror/gm0 bs=3D1m count=3D200 > 200+0 records in > 200+0 records out > 209715200 bytes transferred in 4.733112 secs (44308101 bytes/sec) >=20 > *** > Varied encryption algorithms: > geli init -P -e aes -l 256 -s 4096 -K key mirror/gm0 > dd if=3D/dev/random of=3D/dev/mirror/gm0.eli bs=3D1m count=3D200 > 209715200 bytes transferred in 7.336633 secs (28584666 bytes/sec) >=20 > geli init -P -e aes -l 128 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 6.919852 secs (30306313 bytes/sec) >=20 > geli init -P -e blowfish -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 9.289385 secs (22575790 bytes/sec) >=20 > geli init -P -e camellia -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 8.384749 secs (25011506 bytes/sec) >=20 > geli init -P -e 3des -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 18.362226 secs (11421012 bytes/sec) >=20 > *** > Varied authentication algorithms: > geli init -P -e aes -l 256 -a hmac/sha512 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 12.553233 secs (16706071 bytes/sec) >=20 > geli init -P -e aes -l 256 -a hmac/sha256 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 12.487267 secs (16794323 bytes/sec) >=20 > geli init -P -e aes -l 256 -a hmac/sha1 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 12.101804 secs (17329251 bytes/sec) >=20 > geli init -P -e aes -l 256 -a hmac/ripemd160 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 11.301225 secs (18556856 bytes/sec) >=20 > geli init -P -e aes -l 256 -a hmac/md5 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 10.345111 secs (20271914 bytes/sec) Could you retry with /dev/zero instead of /dev/random and also try 'null' as encryption algorithm? --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --Ucgz5Oc/kKURWzXs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHj2pwForvXbEpPzQRAiePAKCJbBPaJzZmse5AEkKBKg+ddLPmyQCg8HnS Gq/m4wMTzLI61bR6frN/Gbo= =M0EU -----END PGP SIGNATURE----- --Ucgz5Oc/kKURWzXs--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080117144712.GH8820>