From owner-freebsd-geom@FreeBSD.ORG Thu Jan 17 14:15:28 2008 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C67D16A41A for ; Thu, 17 Jan 2008 14:15:28 +0000 (UTC) (envelope-from crahman@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.183]) by mx1.freebsd.org (Postfix) with ESMTP id 27EC013C46E for ; Thu, 17 Jan 2008 14:15:27 +0000 (UTC) (envelope-from crahman@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so1107804waf.3 for ; Thu, 17 Jan 2008 06:15:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=KFbwKPk8Do2/O0OH8ups0vIERbmNejbJtXO8Rg/HBic=; b=uIu1yR17C/BmPSo7nDJ59YSAKnqXG9XlykDK3lE6WtWAkkcEEmpt9xiQvnzAvDmgSOduwbAQclIMu5T2jLxmqXWH7laWCsIySpvdQ5XYDJTWN5KR8yZ80QVVoYrjatIMt3bw6/2jRpjfRJ+J9CuvxK4JJzxk6TaDbW//4YjCyyc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Zc6onpNlBuFeZ3DO9sDAnZOnuSdk/BrehRkqyIGu6pxycJSZYlaY9CRA7f5JSbLSKr25wo3+Z/SqhFVIih7zgpD+46/S6ehXSmm5hUGyMblF+/4WzISWd6v2T6cllM6xsTTqWAzlwFmhV1W4CZHzwUbaeR6XDROFB+q/obyfoag= Received: by 10.114.37.1 with SMTP id k1mr2487234wak.6.1200579326469; Thu, 17 Jan 2008 06:15:26 -0800 (PST) Received: by 10.115.19.7 with HTTP; Thu, 17 Jan 2008 06:15:26 -0800 (PST) Message-ID: <9e77bdb50801170615l3ff6f6bbo97ade8b4471dc7b0@mail.gmail.com> Date: Thu, 17 Jan 2008 07:15:26 -0700 From: "Cyrus Rahman" To: freebsd-geom@freebsd.org In-Reply-To: <9e77bdb50801160832p39619f1fm85bf1454fead3357@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <9e77bdb50801160832p39619f1fm85bf1454fead3357@mail.gmail.com> Subject: Re: Authentication with geom_eli X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jan 2008 14:15:28 -0000 Here are some timings related to different encryption and authentication algorithms. Although the authentication involves extra copying and additional data being written to disk, it is clear the algorithm is also quite significant. The system is a quad processor Q6600 running at 2.4GHz with mid-range SATA disks. Given the considerable performance hit and the fact that for most applications the only viable and useful authentication attacks I can think of would involve replay, which is not detected in the current implementation, I think there is a clear benefit to an algorithm like a CRC to provide data integrity at a lower cost. But I also agree that the ideal place for a CRC style check would be in a separate geom layer. Baseline: dd if=/dev/random of=/dev/mirror/gm0 bs=1m count=200 200+0 records in 200+0 records out 209715200 bytes transferred in 4.733112 secs (44308101 bytes/sec) *** Varied encryption algorithms: geli init -P -e aes -l 256 -s 4096 -K key mirror/gm0 dd if=/dev/random of=/dev/mirror/gm0.eli bs=1m count=200 209715200 bytes transferred in 7.336633 secs (28584666 bytes/sec) geli init -P -e aes -l 128 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 6.919852 secs (30306313 bytes/sec) geli init -P -e blowfish -s 4096 -K key mirror/gm0 209715200 bytes transferred in 9.289385 secs (22575790 bytes/sec) geli init -P -e camellia -s 4096 -K key mirror/gm0 209715200 bytes transferred in 8.384749 secs (25011506 bytes/sec) geli init -P -e 3des -s 4096 -K key mirror/gm0 209715200 bytes transferred in 18.362226 secs (11421012 bytes/sec) *** Varied authentication algorithms: geli init -P -e aes -l 256 -a hmac/sha512 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 12.553233 secs (16706071 bytes/sec) geli init -P -e aes -l 256 -a hmac/sha256 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 12.487267 secs (16794323 bytes/sec) geli init -P -e aes -l 256 -a hmac/sha1 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 12.101804 secs (17329251 bytes/sec) geli init -P -e aes -l 256 -a hmac/ripemd160 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 11.301225 secs (18556856 bytes/sec) geli init -P -e aes -l 256 -a hmac/md5 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 10.345111 secs (20271914 bytes/sec)