4

Is there Java security provider which can handle SSL connections and does support AES-NI instructions?

I have tried to use SunPKCS11 with Mozilla NSS, but it doesn't work for SSL connections that use AES encryption. According to Java PKCS#11 Reference Guide, this provider doesn't support SSLContext.* "algorithms" :-(

Peter Štibraný
  • 32,463
  • 16
  • 90
  • 116
  • This might help you, although a bit old: http://stackoverflow.com/questions/3045520/aes-acceleration-for-java – Anders R. Bystrup Jan 10 '13 at 14:12
  • 1
    @AndersR.Bystrup: thanks. I've found that question. Unfortunately it is now over 2 years old. Java7 is now out, but I cannot find anything about supporting AES-NI out of the box (without SunPKCS11 and external library). Even then, I've got SunPKCS11+mozilla-nss running and speed improvements for AES encryption are significant, but it doesn't handle SSL connections, which still use SunJSSE provider. – Peter Štibraný Jan 10 '13 at 14:25
  • this would be platform specific, and I'm not sure that this is a Java thing therefore. However I'd simply use SWIG and provide an interface to these native libs that way. – wishi Jan 10 '13 at 14:28
  • @wishi: thanks for your comment. Unfortunately we already have quite big application using Java code to handle connections, and your suggestion would imply rewriting some portions of it. For now that's off the table. Preferably I would only like to change security provider and keep our app unchanged. – Peter Štibraný Jan 10 '13 at 14:32
  • 1
    Here's an interesting link, related to IBM WebSphere: http://www-01.ibm.com/support/docview.wss?uid=swg1IV26016 – Anders R. Bystrup Jan 10 '13 at 14:37
  • 1
    @AndersR.Bystrup: thanks Anders. I have now realized that I am mixing two different 'technologies' / libraries here: JCE (crypto stuff) and JSSE (secure sockets). According to http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#PKCS11, "In Java SE 6, the SunJSSE provider uses JCE exclusively for all of its cryptographic operations and hence, is able to automatically take advantage of JCE features and enhancements, including JCE's newly added support for PKCS#11". I need to better understand this... it seems that it may actually work as I want it to. – Peter Štibraný Jan 10 '13 at 14:46

2 Answers2

2

There is some recent activity in Dec 2012 on to support AES-NI on x86. See JEPS-164

This merge in Dec 2012 to jdk8 is discussed here includes assembly code changes to support AES-NI. From the discussion it looks like the change might be back ported to jdk7u12.

The IBM JCE for Java V7 in Nov 2012 includes support for AES-NI.

If one of these new JRE's is used, your java SSL/TLS implementation should be taking advantage of AES-NI without using a PKCS11 provider.

You could check your BIOS to see if AES-NI can be enabled/disabled. If it can then you could run a micro-benchmark of AES encrypt/decrypt to see what the difference is.

pd40
  • 3,187
  • 3
  • 20
  • 29
  • 1
    Thanks for answer. I did run totally unscientific microbenchmark, and speed improvement when using PKCS11+mozilla-nss on machine with AES-NI was significant ... It was about 4 times faster. When running same test on machine without AES-NI support, difference between crypto providers was much smaller, almost unnoticeable. In this question I wanted to make sure that I am getting this benefit also when using SSL sockets. – Peter Štibraný Jan 12 '13 at 13:05
1

I believe that I have found the answer to my question.

First of all, I'm mixing "providers" for two different libraries: JCE (implementations of crypto algorithms) and JSSE (support for secure sockets).

According to JavaTM Secure Socket Extension (JSSE) Reference Guide, section JCE and Hardware Acceleration/Smartcard Support, default JSSE provider (SunJSSE) uses JCE for all crypto operations.

JCE can be configured to use hardware-accelerated AES e.g. by using SunPKCS11 + mozilla-nss library, as documented for example in this answer.

What remains to be done (in my case), is to make sure that SSL is configured with proper ciphers, and to verify that SunPKCS11 is actually used by ssl connections.

Community
  • 1
  • 1
Peter Štibraný
  • 32,463
  • 16
  • 90
  • 116