Is encryption in RTI Connext DDS Secure hardware-accelerated?

RTI Connext DDS Secure relies on OpenSSL to handle cryptographic functionality. Specifically, it uses the EVP family of functions to interface with OpenSSL. Therefore, if your hardware supports cryptographic acceleration, RTI Connext DDS Secure automatically utilizes hardware acceleration wherever it is leveraged in OpenSSL. Intel CPUs generally offer the AES-NI instruction set to provide hardware acceleration of AES encryption, while AMD CPUs offer the functionally identical AES instruction set.

 

How to determine whether your CPU supports AES acceleration

Windows

You will need a program that can display the supported instruction sets for your hardware, such as CPU-Z. See the “Instructions” section in the screenshot below for an example of a CPU-Z readout for a processor with hardware AES support.

CPU-Z screenshot showing AES instruction support

 

Linux

Run the following command in a terminal:

grep -m1 -o aes /proc/cpuinfo

If the output is “aes”, then your processor supports hardware-accelerated AES.

 

Mac OS X

Run the following command in a terminal:

sysctl machdep.cpu.features | grep -i -m1 -o aes

If the output is “AES”, then your processor supports hardware-accelerated AES.

 

Testing OpenSSL hardware AES encryption support on x86 CPUs

The version of OpenSSL distributed on the RTI Support downloads page supports hardware encryption for x86 CPUs with the AES-NI instruction set. However, the version of OpenSSL included with an operating system may not have this support. If you have determined that your CPU includes AES hardware acceleration, use the following steps to verify that the OpenSSL installation on your system has support for hardware-accelerated AES.

 

Windows

Run the following in a Command Prompt window:

set OPENSSL_ia32cap=~0x200000200000000
openssl speed -evp aes-256-cbc
set OPENSSL_ia32cap=
openssl speed -evp aes-256-cbc

Compare the output of the two openssl commands. If the second command gives significantly better (higher) results, then your version of OpenSSL can utilize hardware AES instructions for encryption.

 

Linux/Mac OS X

Run the following in a Bash terminal:

export OPENSSL_ia32cap=~0x200000200000000
openssl speed -evp aes-256-cbc
unset OPENSSL_ia32cap
openssl speed -evp aes-256-cbc

Compare the output of the two openssl commands. If the second command gives significantly better (higher) results, then your version of OpenSSL can utilize hardware AES instructions for encryption.

 

How to acquire and configure a version of OpenSSL with support for hardware AES acceleration for use with RTI Connext DDS Secure

The RTI Support downloads page has host and target OpenSSL packages listed alongside RTI’s security-related packages. These packages are built with support for the AES-NI instruction set. To use one of these packages instead of an existing installation that does not support AES hardware acceleration, prepend the locations of any extracted binaries to the appropriate path variables as directed below.

 

Windows

Update the PATH environment variable to include the “bin” directory of the extracted OpenSSL archive. For example, if the OpenSSL archive is extracted to C:\rti\openssl and your target is x64Win64VS2015, you would add C:\rti\openssl\x64Win64VS2015\release\bin to your path.

 

Linux

To add the openssl shared libraries to your library search path, prepend the location of the “lib” directory of the extracted OpenSSL archive to your LD_LIBRARY_PATH environment variable. For example, if the archive is extracted in /opt/rti/openssl and your target is x64Linux3gcc4.8.2, set LD_LIBRARY_PATH as follows:

LD_LIBRARY_PATH=/opt/rti/openssl/x64Linux3gcc4.8.2/release/lib:$LD_LIBRARY_PATH

To add the openssl executable to your path, prepend the location of the “bin” directory of the extracted OpenSSL archive to your PATH environment variable as follows:

PATH=/opt/rti/openssl/x64Linux3gcc4.8.2/release/bin:$PATH

Mac OS X

To add the openssl shared libraries to your library search path, prepend the location of the “lib” directory of the extracted OpenSSL archive to your DYLD_LIBRARY_PATH environment variable. For example, if the archive is extracted in /opt/rti/openssl and your target is x64Darwin16clang8.0, set DYLD_LIBRARY_PATH as follows:

DYLD_LIBRARY_PATH=/opt/rti/openssl/x64Darwin16clang8.0/release/lib:$DYLD_LIBRARY_PATH

To add the openssl executable to your path, prepend the location of the “bin” directory of the extracted OpenSSL archive to your PATH environment variable as follows:

PATH=/opt/rti/openssl/x64Darwin16clang8.0/release/bin:$PATH

 

Additional information (including hardware acceleration in other architectures)

For further information about AES hardware acceleration for several architectures, please see the Wikipedia page for the AES instruction set