OpenSSL Vs HSM Performance

Intro to HSMs

Hardware Security Modules(HSMs) are basically dedicated cryptography devices, and are often one of the first links in the chain of trust in so much of what we do with technology today.  They allow you to offload sometimes computationally expensive, cryptographic functions like signing or encryption and are often required in industries whose regulations require tight control of private key material(e.g. banking, certificate authorities).  They also allow you to have reliable auditing capabilities and are designed to be extremely difficult to tamper with.  This article does not try to sway you one way or the other in terms of using an HSM, whether or not you need an HSM is usually determined by regulation or security requirements and not performance reasons. If you want are not interested how I arrived at the numbers, click here to see the results.

Having said that, I think there are more than a few people out there that think that dedicated hardware equals better performance.  This article attempts to explore this assumption of whether or not HSMs provide any performance benefit over using software, in this case OpenSSL, on commodity hardware.

HSM Performance Data

One of the unfortunate things about HSMs, is that there isn’t a ton of information about them online, simply due to the nature of what they are.  It isn’t the type of thing you learn about in school nor are you going to set one up in a homelab.  Most of the information about them is in the hands of the vendors, hidden behind links that say things like “Contact us for more info”.

For my HSM performance benchmarks I went with publicly available benchmarks that a vendor themselves reports, relying on them to provide this information may steer the benchmarks in a more favourable direction than I might see in the real world, I’m fine giving them the benefit of the doubt.  Unfortunately, there was only 1 vendor that had enough technical info in their publicly available material to test against.  That vendor and product line that I’m using is Thales e-Security nShield Connect.  The metrics that I’m using are at the bottom of this document and the data from the graphs in the next sections is being pulled from this Google Sheet.  If you have complete and comparable info from other vendors let me know and I will look at adding it.  I’m not concerned about only having one vendor’s information as I feel that this is representative of what I have seen from other vendor’s self-reported benchmarks.

nShield_Connect

Benchmarking OpenSSL

For OpenSSL I used its built-in speed module running on a $5/month Digital Ocean VPS.  This box is not a performance monster, it has 512MB of RAM and a single core virtual CPU.  I wrote a quick BASH script to run the OpenSSL Benchmark 10 times across RSA 2048/4096 bit signing operations, ECDSA P-192/P-256/P-521 signing and verification operations, and ECDH P-192/P-256/P-521 key generating operations.


#!/bin/bash
for ((i = 1; i <= 10; i++)); do
openssl speed rsa2048 rsa4096 ecdsap192 ecdsap256 ecdsap521 ecdhp192 ecdhp256 ecdhp521 >> opensslbench.txt
done

The raw output of this can be found here.

The next two graphs are the signing and verification of both RSA and ECC under OpenSSL. When we compare OpenSSL to the HSM we won’t be including the verification benchmarks as that is something that clients tend to do more often. It is included here to make a point illustrated below.

Notice that using RSA is slower at signing and faster at verifying, this is because most implementations of RSA, the public exponent, used for verifying, is smaller than the private exponent, which is used for signing(more here).  I’d be very interested to see if the HSM implements RSA in this way, please post in the comments if you know more!  Notice also that with ECC and ECDSA, the signing algorithm that usually accompanies ECC keys, the signing and verification performance tend to be comparable.

These are the results of ECC key generation.  Note that, according to NIST and the NSA, 192 bit ECC keys are just under 2048 bit RSA keys in terms of equivalency, while 256 bit ECC -> 3072 bit RSA and 521 bit ECC -> 15360 RSA.  The most surprising thing here is how comparable in terms of performance 192 and 256 are.  Extra crypto for a negligible performance hit.

OpenSSL vs HSM Showdown

So we have our OpenSSL data together let’s graph it against the HSM data from the table at the beginning of the article. Interestingly enough, we see that the HSM is way faster at generating RSA signatures than OpenSSL. Perhaps the HSM is choosing the smaller prime when generating its private key to squeeze that extra signing performance out? Maybe they are hardware accelerating the RSA signing process?

The results for ECDSA signing and ECC key generation indicate that OpenSSL is the clear winner.

Conclusion

I’m not actually sure what I would have predicted the results would have been at the beginning of putting this post together. If you work with HSMs on a regular basis feel free to comment or contact me, I’d love to hear your perspective on the data I’ve put together here. If you are only looking at HSMs from a performance perspective, they clearly aren’t worth the extra expense. Use an HSM because it adds security, not because it is fast.

Thanks for stopping by!

Jim
Feature Image Credit: Mike

3 thoughts on “OpenSSL Vs HSM Performance

  1. Thanks a lot for this article. I always had the same suspicions. I think the performance gains from using an HSM are a thing of the past, since general purpose CPUs have had specialised crypto instructions for many years now. Also if you consider the back and forth network trip to the HSM the result is that the HSM is probably much slower!
    Finally you mentioned it in your article: you used a $5 a month machine vs a multi thousand device. The fact that the results are even comparable says a lot.

  2. Side-thought. I’d like to see this run on EC2, Linode and some other VPS vendors. I think YMMV between providers, and what we might be seeing is that there are hardware features leading to the speed gains in software are actually only available to a handful of setups.

    Al that said, I wouldn’t be surprised if HSM vendors are a little complacent. As you’ve noted regulation & compliance mean they have to be purchased for some setups, and that probably leads to high confidence and no hunger pains forcing innovation.

Leave a Reply