极客观点
项目管理
HarmonyOS
最近在研究nginx的ssl_ciphers,发现服务器普遍使用AES_GCM作为cipher,但我用openssl speed测试发现:其实AES_CCM的处理速度占优,比AES_GCM快两个数量级.
而AES_GCM和AES_CCM又提供了同等级的安全性,基于什么考虑选择AES_GCM呢?
⋊> ~ openssl speed -elapsed -evp aes-128-gcm 12:01:25
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-gcm for 3s on 16 size blocks: 97979075 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 64 size blocks: 59422372 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 256 size blocks: 29006722 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 1024 size blocks: 11353862 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 8192 size blocks: 1765209 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 16384 size blocks: 895929 aes-128-gcm's in 3.00s
OpenSSL 1.1.1-dev xx XXX xxxx
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-1.1\"" -Wa,--noexecstack
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-gcm 522555.07k 1267677.27k 2475240.28k 3875451.56k 4820197.38k 4892966.91k
⋊> ~ openssl speed -elapsed -evp aes-128-ccm 12:01:45
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-ccm for 3s on 16 size blocks: 119658614 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 64 size blocks: 119826773 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 256 size blocks: 119907412 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 1024 size blocks: 120247420 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 8192 size blocks: 119976321 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 16384 size blocks: 120088122 aes-128-ccm's in 3.00s
OpenSSL 1.1.1-dev xx XXX xxxx
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-1.1\"" -Wa,--noexecstack
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-ccm 638179.27k 2556304.49k 10232099.16k 41044452.69k 327615340.54k 655841263.62k
⋊> ~ openssl speed -decrypt -elapsed -evp aes-128-gcm 12:08:04
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-gcm for 3s on 16 size blocks: 81282951 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 64 size blocks: 59261806 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 256 size blocks: 30926527 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 1024 size blocks: 11984041 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 8192 size blocks: 1795430 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 16384 size blocks: 906534 aes-128-gcm's in 3.00s
OpenSSL 1.1.1-dev xx XXX xxxx
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-1.1\"" -Wa,--noexecstack
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-gcm 433509.07k 1264251.86k 2639063.64k 4090552.66k 4902720.85k 4950884.35k
⋊> ~ openssl speed -decrypt -elapsed -evp aes-128-ccm 12:07:32
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-ccm for 3s on 16 size blocks: 235354888 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 64 size blocks: 234594124 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 256 size blocks: 236230823 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 1024 size blocks: 235920946 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 8192 size blocks: 236134945 aes-128-ccm's in 3.00s
Doing aes-128-ccm for 3s on 16384 size blocks: 236273795 aes-128-ccm's in 3.00s
OpenSSL 1.1.1-dev xx XXX xxxx
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-1.1\"" -Wa,--noexecstack
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-ccm 1255226.07k 5004674.65k 20158363.56k 80527682.90k 644805823.15k 1290369952.43k
你要知道安全性是和速度成反比的,加解密速度越快越容易被破解