Intro to HSMs
Hardware Security Modules(HSMs) are basically dedicated cryptography devices, and are often one of the first links in the chain of trust in so much of what we do with technology today. They allow you to offload sometimes computationally expensive, cryptographic functions like signing or encryption and are often required in industries whose regulations require tight control of private key material(e.g. banking, certificate authorities). They also allow you to have reliable auditing capabilities and are designed to be extremely difficult to tamper with. This article does not try to sway you one way or the other in terms of using an HSM, whether or not you need an HSM is usually determined by regulation or security requirements and not performance reasons. If you want are not interested how I arrived at the numbers, click here to see the results.
Having said that, I think there are more than a few people out there that think that dedicated hardware equals better performance. This article attempts to explore this assumption of whether or not HSMs provide any performance benefit over using software, in this case OpenSSL, on commodity hardware.
HSM Performance Data
One of the unfortunate things about HSMs, is that there isn’t a ton of information about them online, simply due to the nature of what they are. It isn’t the type of thing you learn about in school nor are you going to set one up in a homelab. Most of the information about them is in the hands of the vendors, hidden behind links that say things like “Contact us for more info”.
For my HSM performance benchmarks I went with publicly available benchmarks that a vendor themselves reports, relying on them to provide this information may steer the benchmarks in a more favourable direction than I might see in the real world, I’m fine giving them the benefit of the doubt. Unfortunately, there was only 1 vendor that had enough technical info in their publicly available material to test against. That vendor and product line that I’m using is Thales e-Security nShield Connect. The metrics that I’m using are at the bottom of this document and the data from the graphs in the next sections is being pulled from this Google Sheet. If you have complete and comparable info from other vendors let me know and I will look at adding it. I’m not concerned about only having one vendor’s information as I feel that this is representative of what I have seen from other vendor’s self-reported benchmarks.
For OpenSSL I used its built-in speed module running on a $5/month Digital Ocean VPS. This box is not a performance monster, it has 512MB of RAM and a single core virtual CPU. I wrote a quick BASH script to run the OpenSSL Benchmark 10 times across RSA 2048/4096 bit signing operations, ECDSA P-192/P-256/P-521 signing and verification operations, and ECDH P-192/P-256/P-521 key generating operations.
#!/bin/bash for ((i = 1; i <= 10; i++)); do openssl speed rsa2048 rsa4096 ecdsap192 ecdsap256 ecdsap521 ecdhp192 ecdhp256 ecdhp521 >> opensslbench.txt done
The raw output of this can be found here.
The next two graphs are the signing and verification of both RSA and ECC under OpenSSL. When we compare OpenSSL to the HSM we won’t be including the verification benchmarks as that is something that clients tend to do more often. It is included here to make a point illustrated below.
Notice that using RSA is slower at signing and faster at verifying, this is because most implementations of RSA, the public exponent, used for verifying, is smaller than the private exponent, which is used for signing(more here). I’d be very interested to see if the HSM implements RSA in this way, please post in the comments if you know more! Notice also that with ECC and ECDSA, the signing algorithm that usually accompanies ECC keys, the signing and verification performance tend to be comparable.
These are the results of ECC key generation. Note that, according to NIST and the NSA, 192 bit ECC keys are just under 2048 bit RSA keys in terms of equivalency, while 256 bit ECC -> 3072 bit RSA and 521 bit ECC -> 15360 RSA. The most surprising thing here is how comparable in terms of performance 192 and 256 are. Extra crypto for a negligible performance hit.
OpenSSL vs HSM Showdown
So we have our OpenSSL data together let’s graph it against the HSM data from the table at the beginning of the article. Interestingly enough, we see that the HSM is way faster at generating RSA signatures than OpenSSL. Perhaps the HSM is choosing the smaller prime when generating its private key to squeeze that extra signing performance out? Maybe they are hardware accelerating the RSA signing process?
The results for ECDSA signing and ECC key generation indicate that OpenSSL is the clear winner.
I’m not actually sure what I would have predicted the results would have been at the beginning of putting this post together. If you work with HSMs on a regular basis feel free to comment or contact me, I’d love to hear your perspective on the data I’ve put together here. If you are only looking at HSMs from a performance perspective, they clearly aren’t worth the extra expense. Use an HSM because it adds security, not because it is fast.
Thanks for stopping by!