6.1. Cryptographic Libraries

This section compares the performance of the cryptographic libraries that Connext supports. We compare the performance of the OpenSSL 3.0.9, OpenSSL 1.1.1t, and wolfSSL 5.5.1 cryptographic libraries. Changes in the patch versions of those libraries (last digit in the OpenSSL 3 or wolfSSL version numbers, letter in the OpenSSL 1 version number) should not have a great effect on the performance results.

Note that we compare the performance of the libraries themselves, not of the products that use them (for example, the RTI Security Plugins). The products that depend on crypto libraries will be affected by the results presented in this section. It is expected that if a crypto library performs better, the version of the Connext product for this library will show better results.

Warning

The results of the OpenSSL and wolfSSL benchmarks can’t be directly compared. The data in this section is more useful for comparing across versions of the same cryptographic library (for example, OpenSSL 1.1.1t vs OpenSSL 3.0.8). Be wary when comparing results between OpenSSL and wolfSSL.

6.1.1. Digest Signature Algorithms

The OpenSSL speed benchmark estimates the performance for the SHA 256 and SHA 384 digest algorithms with inputs of different sizes. For each sample size, the benchmark runs continuously in a loop for three seconds and notes the number of samples for which it can compute the digest. Each iteration of the loop executes the following calls to the OpenSSL API:

  1. EVP_DigestInit_ex

  2. EVP_DigestUpdate

  3. EVP_DigestFinal_ex

These steps are quite representative of how the Security Plugins call OpenSSL to calculate the digest.

The final result is a table with the number of bytes per second that OpenSSL can calculate. The following graphs depict these data for both OpenSSL 3 and OpenSSL 1.

wolfSSL does something slightly different and with a much larger sample size. It calculates the digest of five blocks of 1 megabyte and, based on the time taken, it calculates the number of bytes per second. The benchmark reports a single value for this 1-megabyte sample. To better compare results (and for aesthetic purposes), the previous graph plots wolfSSL performance as if it had been the result for a sample with the largest size that OpenSSL supports (16384 bytes instead of the actual 1 megabyte).

6.1.2. Digital Signature Algorithms

Warning

The Security Plugins 7.1.0 for wolfSSL does not currently support the EDDSA+ED25519+SHA512 or EDDSA+ED448+SHAKE256 digital signature algorithms. That is why the results for these algorithms are so far zeroed for wolfSSL. You can find more information in the authentication.enable_custom_algorithms property. The wolfSSL version that we test internally doesn’t have the –enable-curve25519 or –enable-curve448 curves enabled. For more information about the compilation flags, see the RTI Security Plugins installation instructions.

6.1.3. Key Establishment Algorithms

Warning

The Security Plugins 7.1.0 for wolfSSL does not support the ECDHE-CEUM+X25519 or ECDHE-CEUM+X448 key establishment algorithms. That is why the results for these algorithms are so far zeroed for wolfSSL. You can find more information in the authentication.enable_custom_algorithms property. The wolfSSL version that we test internally doesn’t have the –enable-curve25519 or –enable-curve448 curves enabled. For more information about the compilation flags, see the RTI Security Plugins installation instructions.

6.1.4. Symmetric Cipher Algorithms

The OpenSSL speed benchmark estimates the performance for the AES 128 and AES 256 digest algorithms with inputs of different sizes. For each sample size, the benchmark runs continuously in a loop for three seconds and notes the number of samples that it can encrypt or decrypt. Each iteration of the loop executes the following calls to the encryption/decryption OpenSSL API.

On the encryption side:

  1. EVP_EncryptInit_ex

  2. EVP_EncryptUpdate: One call for the AAD (Additionally Authenticated Data) and another for the payload.

  3. EVP_EncryptFinal_ex

  4. EVP_CIPHER_CTX_ctrl: We patched the OpenSSL speed utility to include this additional call to EVP_CIPHER_CTX_ctrl on the encryption side. This better reflects how the Security Plugins use OpenSSL.

On the decryption side:

  1. EVP_DecryptInit_ex

  2. EVP_CIPHER_CTX_ctrl

  3. EVP_DecryptUpdate: One call for the AAD (Additionally Authenticated Data) and another for the payload.

  4. EVP_DecryptFinal_ex

wolfSSL calculates the encryption/decryption of five 1-megabyte inputs and, based on the time taken, it returns the bytes per seconds for this sample size (1 megabyte). However, the wolfSSL benchmark does not support the -aead flag, so it doesn’t call the EVP_CIPHER_CTX_ctrl API. It only calls the init, update, and final APIs. Therefore, the results are not directly comparable with the ones from OpenSSL.

The wolfSSL benchmark tool reports a single value for this 1-megabyte sample. To better compare results (and for aesthetic purposes), the previous graph plots wolfSSL performance as if it had been the result for a sample with the largest size that OpenSSL supports (16384 bytes instead of the actual 1 megabyte).