Simply performing the following command
# /usr/sfw/bin/openssl -engine pkcs11 speed rsa
will measure the rsa signs and verifies at various key sizes:
sign verify sign/s verify/s
rsa 512 bits 0.0000s 0.0000s 25429.8 30112.9
rsa 1024 bits 0.0000s 0.0000s 23423.1 28794.3
rsa 2048 bits 0.0000s 0.0000s 21155.0 27410.4
rsa 4096 bits 0.7073s 0.0190s 1.4 52.5
Wow! ... looks fast!
or is it?
Lets try the same on a Windows Intel box:
sign verify sign/s verify/s
rsa 512 bits 0.000286s 0.000026s 3500.8 38864.3
rsa 1024 bits 0.001467s 0.000079s 681.6 12578.7
rsa 2048 bits 0.009515s 0.000280s 105.1 3576.4
rsa 4096 bits 0.068150s 0.001098s 14.7 911.0
Or a VMWare Solaris x86:
sign verify sign/s verify/s
rsa 512 bits 0.0008s 0.0001s 1208.7 14074.3
rsa 1024 bits 0.0041s 0.0002s 245.0 4995.9
rsa 2048 bits 0.0243s 0.0007s 41.1 1505.2
rsa 4096 bits 0.1485s 0.0020s 6.7 492.9
But apparently, we're not really comparing apples to apples. Somewhere I read, we have to use the "-elapsed" flag of the speed subcommand. If we don't the comparisons are not fair.
# /usr/sfw/bin/openssl speed -engine pkcs11 -elapsed rsa
sign verify sign/s verify/s
rsa 512 bits 0.0003s 0.0002s 3103.7 5225.4
rsa 1024 bits 0.0007s 0.0003s 1482.0 3053.3
rsa 2048 bits 0.0023s 0.0008s 433.2 1286.6
rsa 4096 bits 0.7047s 0.0184s 1.4 54.2
Versus the Windows Intel machine:
sign verify sign/s verify/s
rsa 512 bits 0.000287s 0.000026s 3481.1 38185.0
rsa 1024 bits 0.001482s 0.000081s 674.9 12400.2
rsa 2048 bits 0.009558s 0.000281s 104.6 3557.0
rsa 4096 bits 0.069450s 0.001092s 14.4 916.1
Versus the Solaris VMWare x86 machine:
rsa 512 bits 0.0009s 0.0001s 1141.4 13736.3
rsa 1024 bits 0.0042s 0.0002s 238.3 4629.1
rsa 2048 bits 0.0260s 0.0007s 38.5 1480.9
rsa 4096 bits 0.1576s 0.0022s 6.3 456.1
The trick is that the pkcs11 version uses a lot less CPU. Try using the option -multi to run multiple speed tests at once and compare your CPU usage with top. The pkcs11-enabled version will barely use the CPUs whereas a non-pkcs11 version will pin the CPU.
No comments:
Post a Comment