Hifn 7955/7956 crypto accelerator questions

From: Nicolas Blais <nb_root@xxxxxxxxxxxx>
Date: Tue, 31 Oct 2006 16:29:01 -0500

Hi,

I'm looking to get a couple of Soekris vpn1401 (hifn 7955) or vpn1461 (hifn
7956) to do some performance tests in a military environment with FreeBSD
systems. Since this is a big project and I don't want to jump in something
destined to fail, I'll ask your expertise.

1. After searching the mailing lists for reports of performance with openssl
and cryptop accelerators, I did not find anything that showed an increase in
performance with the cards (though some posts date back to FBSD4.8). Does
openssl today make correct use of the crypto hardware?

2. From what I understand, ssh is supposed to increase in performance with
those cards. Assuming two FreeBSD computers with crypto accelerators are
transfering big files (say sftp) in a cipher that the card and driver
supports, would the transfer rate be at or near clear-text speed (in a
100mbps link)?

3. How does GEOM_ELI uses crypto hardware to accelerate working with encrypted
partitions? Again, with big file systems, would a gain in performance be
noticeable?

4. Also, it seems that asymmetric crypto support is not yet implemented in the
hifn driver (according to the man page). Is it safe to assume that pgp will
not be accelerated? Any plans to support it? (perhaps this is an OpenBSD
question...)

The whole idea is to reduce conversion and transfer time with highly
sensitive, huge files (> 1 GB, sometimes near 10 GB). We currently use a
commercial software compatible with PGP, but there are security and
logistical issues with it (the commercial software, not PGP). Encrypting a
2GB file with PGP, even on a modern machine, takes a long time. I've done
tests with geli and am so far satisfied with it, but it is a storage
encryption and doesn't allow us to safely transfer data unless we physically
transfert the disk or use ssh. With geli, you also have to make sure that the
created partition is only readable/writeable by the user you want access
allowed to which reduces the total security of the information due to human
negligeance.

Nicolas.
--
FreeBSD 7.0-CURRENT #9: Tue Oct 31 15:44:23 EST 2006
nicblais@clk01a:/usr/obj/usr/src/sys/CLK01A
PGP? : http://www.clkroot.net/security/nb_root.asc

Attachment: pgpDbBLySpLYQ.pgp
Description: PGP signature

Follow-Ups:
- Re: Hifn 7955/7956 crypto accelerator questions
  - From: Brooks Davis

Prev by Date: Re: Xorg leaking memory on -current...
Next by Date: [head tinderbox] failure on powerpc/powerpc
Previous by thread: bsnmpd breaks buildworld
Next by thread: Re: Hifn 7955/7956 crypto accelerator questions
Index(es):
- Date
- Thread

Relevant Pages

Re: 3DES versus SHA-1
... You need an encryption product. ... my favourite PGP implementation these days is GnuPG ... You may find my intro paper to crypto helpful for getting an ...
(Security-Basics)
Re: What the situation of PGP?
... Zimmerman issued PGP 1.0 under GPLv2, but ran into patent ... Deal was struck with RSA Data Security, Inc., custodian of the (legally ... use RSADSI's slightly crippled RSAREF crypto library for its RSA ...
(comp.os.linux.security)
Re: [Full-Disclosure] Re: Popular Net anonymity service back-doored
... > cryptography like pgp, ssl, etc. ... > there who do not have the skills (programming, ... I am a adequate programmer, and I can use crypto toolkits and/or ... compile my own kernel and ssl/ssh/etc - how much *can* I compile by myself ...
(Full-Disclosure)
Re: PGP Sigs on the Usenet (was: Re: Formatting Posts With VI)
... then there goes any visible purpose it might have in ... > regularly posts with PGP. ... that the purpose dictates the use; what do people falsify crypto keys on the ... Usenet intend to do, to accomplish? ...
(comp.os.linux.misc)