Apache Commons Crypto: Another wheel of Apache Commons. Dapeng Sun/ Xianda Ke

Similar documents
Cipher Suite Configuration Mode Commands

IPSec Transform Set Configuration Mode Commands

CSE 127: Computer Security Cryptography. Kirill Levchenko

Security with VA Smalltalk

Cryptography and Network Security

HBase Security. Works in Progress Andrew Purtell, an Intel HBase guy

NIST Cryptographic Toolkit

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

IPSec Transform Set Configuration Mode Commands

Cryptographic Concepts

Oracle Solaris Userland Cryptographic Framework Software Version 1.0 and 1.1

Lecture 1 Applied Cryptography (Part 1)

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

Encryption. INST 346, Section 0201 April 3, 2018

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Introduction to information Security

PROTECTING CONVERSATIONS

Cryptography MIS

There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Leveraging Intel SGX to Create a Nondisclosure Cryptographic library

Implementing AES : performance and security challenges

TLS 1.1 Security fixes and TLS extensions RFC4346

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Oracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1

WAP Security. Helsinki University of Technology S Security of Communication Protocols

IOS Common Cryptographic Module (IC2M)

FIPS Compliance of Industry Protocols in Edward Morris September 25, 2013

Computer Security: Principles and Practice

Vortex. A New Family of One-Way Hash Functions. Based on AES Rounds and Carry-less Multiplication. Intel Corporation, IL

Winter 2011 Josh Benaloh Brian LaMacchia

Comparison of SSL/TLS libraries based on Algorithms/languages supported, Platform, Protocols and Performance. By Akshay Thorat

APNIC elearning: Cryptography Basics

Ref:

FACE : Fast AES CTR mode Encryption Techniques based on the Reuse of Repetitive Data

Symmetric Key Encryption. Symmetric Key Encryption. Advanced Encryption Standard ( AES ) DES DES DES 08/01/2015. DES and 3-DES.

Anand Raghunathan

CS155. Cryptography Overview

CIS 4360 Secure Computer Systems Symmetric Cryptography

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

FIPS Security Policy UGS Teamcenter Cryptographic Module

Cryptography Introduction

Satisfying CC Cryptography Requirements through CAVP/CMVP Certifications. International Crypto Module Conference May 19, 2017

RSA BSAFE Crypto-C Micro Edition Security Policy

Parallelizing IPsec: switching SMP to On is not even half the way

1.264 Lecture 28. Cryptography: Asymmetric keys

Cryptography Functions

Scaling Acceleration Capacity from 5 to 50 Gbps and Beyond with Intel QuickAssist Technology

Technological foundation

CSC 774 Network Security

Coming of Age: A Longitudinal Study of TLS Deployment

Implementing Cryptography: Good Theory vs. Bad Practice

Defending Against the Sneakers Scenario. Bryan Sullivan, Security Program Manager, Microsoft SDL

Authenticated Encryption in TLS

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Information Security CS526

CSCE 715: Network Systems Security

Security IP-Cores. AES Encryption & decryption RSA Public Key Crypto System H-MAC SHA1 Authentication & Hashing. l e a d i n g t h e w a y

Block Ciphers. Secure Software Systems

State of TLS usage current and future. Dave Thompson

Security. Communication security. System Security

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Study Guide to Mideterm Exam

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CSCE 715: Network Systems Security

RSA BSAFE Crypto-J JSAFE and JCE Software Module Security Policy Level 2 Roles, Services and Authentication

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

Symantec Corporation

Application of Cryptography in.net Framework

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Introduction to cryptology (GBIN8U16) Introduction

Uses of Cryptography

Transport Level Security

Encrypting and Decrypting using CTR and CBC Modes in C# with BouncyCastle

Cryptographic Hash Functions

OpenSSH. 24th February ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) 1 / 12

Findings for

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Dyadic Security Enterprise Key Management

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

SSH Bulk Transfer Performance. Allan Jude --

Encryption 2. Tom Chothia Computer Security: Lecture 3

The Linux Kernel Cryptographic API

Apache HBase Andrew Purtell Committer, Apache HBase, Apache Software Foundation Big Data US Research And Development, Intel

CRYPTOGRAPHY. Jakub Laszczyk. June 7th,

A practical integrated device for lowoverhead, secure communications.

POST-QUANTUM CRYPTOGRAPHY VIENNA CYBER SECURITY WEEK DR. DANIEL SLAMANIG

OPTIMIZED CRYPTOGRAPHY COMPONENTS FOR CONSTRAINED ENVIRONMENTS. RSA BSAFE Crypto Kernel. Solution Brief

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

RSA BSAFE Crypto-J JSAFE and JCE Software Module 5.0 Security Policy Level 1 Roles, Authentication and Services

Route1 FIPS Cryptographic Module

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Updates: 2409 May 2005 Category: Standards Track. Algorithms for Internet Key Exchange version 1 (IKEv1)

Introduction to Cryptography. Vasil Slavov William Jewell College

Transcription:

Apache Commons Crypto: Another wheel of Apache Commons Dapeng Sun/ Xianda Ke

About us Dapeng Sun @Intel Apache Commons Committer Apache Sentry PMC Xianda Ke @Intel Apache Commons Crypto Apache Pig(Pig on Spark) OpenJDK

Agenda Brief introduction to cryptography What s Commons Crypto? Why did we create another wheel? Performance secrets Securing big data & API samples

A glance at cryptographic primitives Symmetric encryption(secret Key) : Confidentiality DES/3DES, RC4, AES, Asymmetric encryption (Public Key) Authentication / Key exchange : RSA, Diffie-Hellman, ECC,... Hash algorithms: Integrity MD5, SHA-1, SHA-2, GMAC(a variant of the GCM), Authenticated Encryption(AE): Confidentiality + Integrity RC4 + HmacMD5, RC4 + HMAC-SHA-1, AES-GCM, Random Number Generator PRNG(Pseudo) / TRNG(True) mode of operation: blurs the cipher output

What is Commons Crypto?(1) High-performance Java cryptography library optimized with AES-NI It wraps OpenSSL as the engine(via JNI)

History of Commons Crypto(1) HDFS Crypto codec Intel AES-NI Native library(openssl) support 17x performance improvement

History of Commons Crypto(2) Promote the advancement to other projects Intel s big data team created Chimera library https://github.com/intel-hadoop/chimera Easily contribute towards the advancement of AES-NI

History of Commons Crypto(3) Worked with Commons community contribute to Apache Community https://commons.apache.org/proper/commons-crypto/

What is Commons Crypto? (2) Low level Cipher API Only support AES algorithm now Stream API To encrypt Stream/Channel Random API True Random Number Generator

JCE(Java Cryptography Extension) in hand, why did we create another wheel? background & motivation

Don t end up in a bottleneck Some Java cryptographic protocols(e.g. SASL) are using inefficient or weak low-level algorithms: 3DES, RC4, Hadoop/Spark users own very big data User s data is vulnerable to attack Performance of JCE is the bottleneck! Take security & performance into account, JCE is impractical

Choosing algorithm for data encryption DES is broken 3DES is too slow RC4 is fast, but weak. prohibited by RFC 7465 AES is secure

However, the problem is that AES s performance in JDK is NOT good enough

THROUGHPUT OF SYMMETRIC ALGORITHMS (MB/S) 1400 1200 1196.01 1000 800 600 400 200 0 14.59 228.98 297.54 3DES(JDK8) AES-CTR-128(JDK8) RC4(JDK8) AES-CTR-128(Crypto) * CPU: Xeon(R) CPU E5-2690 v2 @ 3.00GHz. Memory: DDR3-1600, 64 G.

900 800 THROUGHPUT OF AES ALGORITHMS (MB/S) ~ 6X 762.81 700 600 ~190X 500 400 300 200 100 0 267.78 149.8 131.69 3.98 RC4+HmacMD5(JDK8) RC4+HmacSHA1(JDK8) AES-GCM(JDK8) AES-GCM(JDK9) AES-GCM(Crypto) * CPU: Xeon(R) CPU E5-2690 v2 @ 3.00GHz. Memory: DDR3-1600, 64 G.

100 90 THROUGHPUT OF RANDOM NUMBER GENERATOR (MB/S) 86.83 80 70 60 50 ~13X 40 30 20 10 6.61 0 SecureRandom(JDK8) CrytpoRandom *Java 8. CPU: Xeon(R) CPU E5-2690 v2 @ 3.00GHz. Memory: DDR3, 64 G.

Commons Crypto is a better alternative! SECURE FAST

Using Commons Crypto to secure your big data, and no performance bottleneck You might ask what makes crypto so fast?

Performance Secret (1): AES in hardware (Intel AES-NI) AES algorithm: each round consists of several processing steps: MixColumn, ShiftRow, Substitute bytes All these steps in a round can be done by a SINGLE instruction AESENC xmm1, xmm2

Performance Secret (2): Pipelining(instruction-level parallelism) AESENC instruction takes 7 CPU clock cycles data dependence exists, instructions have to be executed one by one Pipelining instructions, 6 instructions take only 12 clock cycles

Other performance Secrets: Well-optimized assembly code in OpenSSL Better SSE/AVX registers usage (x86 platform) Data locality, etc Hardware acceleration in OpenSSL Intel Carry-Less Multiplication Instruction (PCLMULQDQ for GCM) Intel Secure Key (RDRAND, Random Number Generator) in other architectures HotSpot Intrinsics for AES are NOT well-optimized (JDK 8)

JDK 9 is becoming fast JDK-8073108 enables PCLMULQDQ for AES-GCM, ~60X gain, still falls far behind Commons Crypto We ve contributed two patches to OpenJDK (HotSpot): JDK-8143925 x86 AES-CTR, 5~8x gain JDK-8152354 x86 AES-CBC Decryption, 15%~50% gain But we have to wait for a few years to adopt Java 9 in our software production

Big Data components are using Commons Crypto/AES-NI AES support for over-the-wire encryption(spark-13331) Add encrypted shuffle in spark (SPARK-5682) brings 12.5% overall performance gain Optimize HDFS Encrypted Transport performance (HDFS-6606) brings 17x overall performance gain Improve transparent table/cf encryption with Commons Crypto (HBASE-16463) showed 4% to 42% gain for HFile encryption using HfilePerformanceEvaluation tool Improve performance for RPC encryption (HBASE-16414) improves performance about 9x when enable delegation token (in development) : Optimize Hadoop RPC encryption performance(hadoop-10768) Replace Hadoop Common crypto code with Apache Commons Crypto(HADOOP-13635)

API & Samples

API & Samples

API & Samples

Status & Future work: Status: v1.0.0 is released. AES-CBC, AES-CTR are supported AES-GCM ( will be released in next release) Future work : to cover more facets : Support Asymmetric key algorithms: RSA, DSA How to contribute: SCM: https://github.com/apache/commons-crypto Apache Bugtracker (JIRA): https://issues.apache.org/jira/

Thank You Q & A

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback