Hi Vladimir,
Hi Tim,
An Advanced Encryption Standard instruction set is now integrated in to many processors. Tim has already described it well here " ". The purpose of the instruction set is to improve the speed, of applications performing encryption and decryption using Advanced Encryption Standard (AES). They are often implemented as instructions implementing a single round of AES along with a special version for the last round which has a slightly different method.
Crypto API is a cryptography framework in the Linux kernel, for various parts of the kernel that deal with cryptography, such as IPsec. It supports AES-NI. Therefore it is also used with Check Point software. The Crypto API was introduced in kernel version 2.5.45+ and has since expanded to include essentially all popular block ciphers and hash functions.
This API can be used for VPN connections (IPSec) and accelerates AES VPN connections on hardware level.
This is more problematic with https. OpenSSL is normally used here. OpenSSL also supports AES-NI. However https uses different chipers (DES, 3DES, AES, AES256,...). Unfortunately, we cannot control the chipers in a targeted way. Therefore AES is not always used. So the hardware acceleration for AES-NI is not used for every connection. Therefore the advantage and disadvantage for AES-NI is not really predictable for https.
My assessment of the topic AES-NI:
- VPN -> I think AES-NI can be used for VPN connections specifically with AES/ AES256.
- https -> With https the targeted use of AES-NI will be very difficult.
Regards
Heiko
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips