4

Is there Java security provider which can handle SSL connections and does support AES-NI instructions?

I have tried to use SunPKCS11 with Mozilla NSS, but it doesn't work for SSL connections that use AES encryption. According to Java PKCS#11 Reference Guide, this provider doesn't support SSLContext.* "algorithms" :-(

Improve this question
6
  • This might help you, although a bit old: stackoverflow.com/questions/3045520/aes-acceleration-for-java
    – Anders R. Bystrup
    CommentedJan 10, 2013 at 14:12
  • 1
    @AndersR.Bystrup: thanks. I've found that question. Unfortunately it is now over 2 years old. Java7 is now out, but I cannot find anything about supporting AES-NI out of the box (without SunPKCS11 and external library). Even then, I've got SunPKCS11+mozilla-nss running and speed improvements for AES encryption are significant, but it doesn't handle SSL connections, which still use SunJSSE provider.
    – Peter Štibraný
    CommentedJan 10, 2013 at 14:25
  • this would be platform specific, and I'm not sure that this is a Java thing therefore. However I'd simply use SWIG and provide an interface to these native libs that way.
    – wishi
    CommentedJan 10, 2013 at 14:28
  • 1
    Here's an interesting link, related to IBM WebSphere: www-01.ibm.com/support/docview.wss?uid=swg1IV26016
    – Anders R. Bystrup
    CommentedJan 10, 2013 at 14:37
  • 1
    @AndersR.Bystrup: thanks Anders. I have now realized that I am mixing two different 'technologies' / libraries here: JCE (crypto stuff) and JSSE (secure sockets). According to docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/…, "In Java SE 6, the SunJSSE provider uses JCE exclusively for all of its cryptographic operations and hence, is able to automatically take advantage of JCE features and enhancements, including JCE's newly added support for PKCS#11". I need to better understand this... it seems that it may actually work as I want it to.
    – Peter Štibraný
    CommentedJan 10, 2013 at 14:46

2 Answers 2

Reset to default
2

There is some recent activity in Dec 2012 on to support AES-NI on x86. See JEPS-164

This merge in Dec 2012 to jdk8 is discussed here includes assembly code changes to support AES-NI. From the discussion it looks like the change might be back ported to jdk7u12.

The IBM JCE for Java V7 in Nov 2012 includes support for AES-NI.

If one of these new JRE's is used, your java SSL/TLS implementation should be taking advantage of AES-NI without using a PKCS11 provider.

You could check your BIOS to see if AES-NI can be enabled/disabled. If it can then you could run a micro-benchmark of AES encrypt/decrypt to see what the difference is.

Improve this answer
1
  • 1
    Thanks for answer. I did run totally unscientific microbenchmark, and speed improvement when using PKCS11+mozilla-nss on machine with AES-NI was significant ... It was about 4 times faster. When running same test on machine without AES-NI support, difference between crypto providers was much smaller, almost unnoticeable. In this question I wanted to make sure that I am getting this benefit also when using SSL sockets.
    – Peter Štibraný
    CommentedJan 12, 2013 at 13:05
1

I believe that I have found the answer to my question.

First of all, I'm mixing "providers" for two different libraries: JCE (implementations of crypto algorithms) and JSSE (support for secure sockets).

According to JavaTM Secure Socket Extension (JSSE) Reference Guide, section JCE and Hardware Acceleration/Smartcard Support, default JSSE provider (SunJSSE) uses JCE for all crypto operations.

JCE can be configured to use hardware-accelerated AES e.g. by using SunPKCS11 + mozilla-nss library, as documented for example in this answer.

What remains to be done (in my case), is to make sure that SSL is configured with proper ciphers, and to verify that SunPKCS11 is actually used by ssl connections.

Improve this answer

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.