Date: Thu, 17 Jan 2008 07:15:26 -0700 From: "Cyrus Rahman" <crahman@gmail.com> To: freebsd-geom@freebsd.org Subject: Re: Authentication with geom_eli Message-ID: <9e77bdb50801170615l3ff6f6bbo97ade8b4471dc7b0@mail.gmail.com> In-Reply-To: <9e77bdb50801160832p39619f1fm85bf1454fead3357@mail.gmail.com> References: <9e77bdb50801160832p39619f1fm85bf1454fead3357@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Here are some timings related to different encryption and authentication algorithms. Although the authentication involves extra copying and additional data being written to disk, it is clear the algorithm is also quite significant. The system is a quad processor Q6600 running at 2.4GHz with mid-range SATA disks. Given the considerable performance hit and the fact that for most applications the only viable and useful authentication attacks I can think of would involve replay, which is not detected in the current implementation, I think there is a clear benefit to an algorithm like a CRC to provide data integrity at a lower cost. But I also agree that the ideal place for a CRC style check would be in a separate geom layer. Baseline: dd if=/dev/random of=/dev/mirror/gm0 bs=1m count=200 200+0 records in 200+0 records out 209715200 bytes transferred in 4.733112 secs (44308101 bytes/sec) *** Varied encryption algorithms: geli init -P -e aes -l 256 -s 4096 -K key mirror/gm0 dd if=/dev/random of=/dev/mirror/gm0.eli bs=1m count=200 209715200 bytes transferred in 7.336633 secs (28584666 bytes/sec) geli init -P -e aes -l 128 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 6.919852 secs (30306313 bytes/sec) geli init -P -e blowfish -s 4096 -K key mirror/gm0 209715200 bytes transferred in 9.289385 secs (22575790 bytes/sec) geli init -P -e camellia -s 4096 -K key mirror/gm0 209715200 bytes transferred in 8.384749 secs (25011506 bytes/sec) geli init -P -e 3des -s 4096 -K key mirror/gm0 209715200 bytes transferred in 18.362226 secs (11421012 bytes/sec) *** Varied authentication algorithms: geli init -P -e aes -l 256 -a hmac/sha512 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 12.553233 secs (16706071 bytes/sec) geli init -P -e aes -l 256 -a hmac/sha256 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 12.487267 secs (16794323 bytes/sec) geli init -P -e aes -l 256 -a hmac/sha1 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 12.101804 secs (17329251 bytes/sec) geli init -P -e aes -l 256 -a hmac/ripemd160 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 11.301225 secs (18556856 bytes/sec) geli init -P -e aes -l 256 -a hmac/md5 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 10.345111 secs (20271914 bytes/sec)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9e77bdb50801170615l3ff6f6bbo97ade8b4471dc7b0>