Обсуждение: Is OpenSSL AES-NI not available in pgcrypto?

Поиск
Список
Период
Сортировка

Is OpenSSL AES-NI not available in pgcrypto?

От
"agharta82@gmail.com"
Дата:
Hi all,

A question, may I wrong.

I've a Rocky Linux 8 with OpenSSL 1.1.1 FIPS  and Intel cpu with aes 
support (cat /proc/cpuinfo | grep aes)

Test made with openssl gives me a huge performance with aes enabled vs not:

"openssl speed -elapsed -evp aes-128-cbc" is about 5 time faster than 
"openssl speed -elapsed aes-128-cbc" or another "software calculated 
test", eg. "openssl speed -elapsed bf-cbc"

So OpenSSL is ok.

Postgresql 15 is compiled with openssl:

select name, setting from pg_settings where name = 'ssl_library';
     name     | setting
-------------+---------
  ssl_library | OpenSSL
(1 row)

So, a test with pgcrypto:

select pgp_sym_encrypt(data::text, 'pwd') --default to aes128
from generate_series('2022-01-01'::timestamp, '2022-12-31'::timestamp, 
'1 hour'::interval) data

vs

select pgp_sym_encrypt(data::text, 'pwd','cipher-algo=bf') -- blowfish
from generate_series('2022-01-01'::timestamp, '2022-12-31'::timestamp, 
'1 hour'::interval) data

In my test both queries execution is similar....aes-128 was expected 
about  5 time faster.

So, why?

Pgcrypto use OpenSSL as backend, so, does it explicit force software aes 
calculation instead of AES-NI cpu ones?

Thanksfor support.

Best regards,

Agharta

Re: Is OpenSSL AES-NI not available in pgcrypto?

От
Peter Eisentraut
Дата:
On 02.01.23 17:57, agharta82@gmail.com wrote:
> select pgp_sym_encrypt(data::text, 'pwd') --default to aes128
> from generate_series('2022-01-01'::timestamp, '2022-12-31'::timestamp, 
> '1 hour'::interval) data
> 
> vs
> 
> select pgp_sym_encrypt(data::text, 'pwd','cipher-algo=bf') -- blowfish
> from generate_series('2022-01-01'::timestamp, '2022-12-31'::timestamp, 
> '1 hour'::interval) data
> 
> In my test both queries execution is similar....aes-128 was expected 
> about  5 time faster.
> 
> So, why?
> 
> Pgcrypto use OpenSSL as backend, so, does it explicit force software aes 
> calculation instead of AES-NI cpu ones?

I suspect it is actually using AES hardware support, but all the other 
overhead of pgcrypto makes the difference not noticeable.

Re: Is OpenSSL AES-NI not available in pgcrypto?

От
"agharta82@gmail.com"
Дата:
Hi,

I see, I was hoping that wasn't the case.

Thanks a lot for your support.

My best regards,

Agharta


Il 03/01/23 16:54, Peter Eisentraut ha scritto:
> On 02.01.23 17:57, agharta82@gmail.com wrote:
>> select pgp_sym_encrypt(data::text, 'pwd') --default to aes128
>> from generate_series('2022-01-01'::timestamp, 
>> '2022-12-31'::timestamp, '1 hour'::interval) data
>>
>> vs
>>
>> select pgp_sym_encrypt(data::text, 'pwd','cipher-algo=bf') -- blowfish
>> from generate_series('2022-01-01'::timestamp, 
>> '2022-12-31'::timestamp, '1 hour'::interval) data
>>
>> In my test both queries execution is similar....aes-128 was expected 
>> about  5 time faster.
>>
>> So, why?
>>
>> Pgcrypto use OpenSSL as backend, so, does it explicit force software 
>> aes calculation instead of AES-NI cpu ones?
>
> I suspect it is actually using AES hardware support, but all the other 
> overhead of pgcrypto makes the difference not noticeable.
>

Re: Is OpenSSL AES-NI not available in pgcrypto?

От
Bruce Momjian
Дата:
On Mon, Jan  2, 2023 at 05:57:38PM +0100, agharta82@gmail.com wrote:
> So, a test with pgcrypto:
> 
> select pgp_sym_encrypt(data::text, 'pwd') --default to aes128
> from generate_series('2022-01-01'::timestamp, '2022-12-31'::timestamp, '1
> hour'::interval) data
> 
> vs
> 
> select pgp_sym_encrypt(data::text, 'pwd','cipher-algo=bf') -- blowfish
> from generate_series('2022-01-01'::timestamp, '2022-12-31'::timestamp, '1
> hour'::interval) data

To see the difference, I think you need to construct a single large
query that calls many pgcrypto functions, with a small return result, so
the network, parsing, and optimizer overhead are minimal compared to the
OpenSSL overhread.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

Embrace your flaws.  They make you human, rather than perfect,
which you will never be.

Re: Is OpenSSL AES-NI not available in pgcrypto?

От
agharta agharta
Дата:
Hi Bruce,
Thanks for reply.

I've give up: i've found a slide in percona site about pgcrypto that said the developers of plugin intentionally introduces time consuming code to prevent brute force attacks.

My queries involves pgcrypto only in a small number of record (about 2000), so at the end the execution time remains the same....sadly.

Now my hopes are now in TDE. Hope to see that feature in PostgrSQL soon.

Many thanks again for support to all!

Have a nice day,
Agharta 


Il sab 7 gen 2023, 03:13 Bruce Momjian <bruce@momjian.us> ha scritto:
On Mon, Jan  2, 2023 at 05:57:38PM +0100, agharta82@gmail.com wrote:
> So, a test with pgcrypto:
>
> select pgp_sym_encrypt(data::text, 'pwd') --default to aes128
> from generate_series('2022-01-01'::timestamp, '2022-12-31'::timestamp, '1
> hour'::interval) data
>
> vs
>
> select pgp_sym_encrypt(data::text, 'pwd','cipher-algo=bf') -- blowfish
> from generate_series('2022-01-01'::timestamp, '2022-12-31'::timestamp, '1
> hour'::interval) data

To see the difference, I think you need to construct a single large
query that calls many pgcrypto functions, with a small return result, so
the network, parsing, and optimizer overhead are minimal compared to the
OpenSSL overhread.

--
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

Embrace your flaws.  They make you human, rather than perfect,
which you will never be.