AES encryption performance
I'm wondering if anyone has tried using the AES (Advanced Encyption Standard) via Oracle's Advanced Security Option (aka: Oracle Enterprise Security) to encrypt communications between an Oracle client and the Server.
If so, did you notice any substantial decrease in performance?
We're getting ready to implement encryption on Oracle, but t want to first make sure it won't make a noticeable difference in response time for our end-users.
I posted an answer to this same question in AES network encryption performance
Justin
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC
Similar Messages
-
Can't open a specific wesite with AES encryption on
WRT54GX2 router set up with WPA and AES encryption, will not open a website that I know is working (it's my ISP, webmail site). When I change to TKIP the site opens normally, but my wireless printer then drops off the network. Any one have a fix?
I agree with toomanydonuts suggestion. You can try the steps which toomanydonuts has mentioned and i think that will make your computer and printer work wirelessly.
-
WPA2 Aes encryption on cisco 1121G AP
hi
i wanted to increase the security on my 1121G accesspoint by enabling wpa2 with aes encryption. in a test environment i set this up and i configured my wireless client to connect, my wireless client (ibm thinkpad t42p with 11a/b/g Wireless LAN Mini PCI Adapter II has the ability to either select WPA or WPA2 and whether you use TKIP or AES. i selected WPA2 and AES enter the encryption key which i had entered on the AP and i connected,
i change the settings on the client to WPA and TKIP and entered the same encryption key and i managed to connect as well, which puzzles me, when i enter an incorrect encryption key it won't associate.
is this normal behaviour or do you think i have configured something incorrectly on the 1121G AP?
i have attached my config and have removed some personal data.
many thanks
rogieri have finally figured it out, it is the windows client or mac clients being very smart, if you configure your windows client to use WPA instead of WPA2 and select TKIP instead of AES encryption somehow it figures out this is incorrect and automatically sets the WPA to WPA2 settings and changes TKIP to AES encryption, i am amazed, i finally figured it out when a windows machine which did not have the windows patch to allow it to connect to WPA2 could not connect, only after installing the WPA2 patch would it connect. in the AP log it always showed as logging in with the WPA2 EAS encryption.
i guess windows xp is a bit smarter than i originally thought -
AES Encryption for Windows Phone
Hi,
We are developing a windows phone app and the same app is also being developed in Android and IOS. All three platforms are using a JSON web service for data access. Parameters to be passed are encrypted using AES algorithm.
The web service uses the Encryption and Decryption as shown in the following link :
https://msdn.microsoft.com/en-us/library/system.security.cryptography.aesmanaged(v=vs.110).aspx
The same is Encryption is available in IOS and Android and working fine.
I am unable to achieve the same encryption in Windows Phone as System.Security.Cryptography is not available in Windows Phone. I did browse around and found a few alternatives as shown below but i am not getting the desired result i.e. Encrypted data is
not the same and hence Decryption is not giving the same result in server side.
public static byte[] Encrypt(string plainText, string pw, string salt)
IBuffer pwBuffer = CryptographicBuffer.ConvertStringToBinary(pw, BinaryStringEncoding.Utf8);
IBuffer saltBuffer = CryptographicBuffer.ConvertStringToBinary(salt, BinaryStringEncoding.Utf16LE);
IBuffer plainBuffer = CryptographicBuffer.ConvertStringToBinary(plainText, BinaryStringEncoding.Utf16LE);
// Derive key material for password size 32 bytes for AES256 algorithm
KeyDerivationAlgorithmProvider keyDerivationProvider = Windows.Security.Cryptography.Core.KeyDerivationAlgorithmProvider.OpenAlgorithm("PBKDF2_SHA1");
// using salt and 1000 iterations
KeyDerivationParameters pbkdf2Parms = KeyDerivationParameters.BuildForPbkdf2(saltBuffer, 1000);
// create a key based on original key and derivation parmaters
CryptographicKey keyOriginal = keyDerivationProvider.CreateKey(pwBuffer);
IBuffer keyMaterial = CryptographicEngine.DeriveKeyMaterial(keyOriginal, pbkdf2Parms, 32);
CryptographicKey derivedPwKey = keyDerivationProvider.CreateKey(pwBuffer);
// derive buffer to be used for encryption salt from derived password key
IBuffer saltMaterial = CryptographicEngine.DeriveKeyMaterial(derivedPwKey, pbkdf2Parms, 16);
// display the buffers – because KeyDerivationProvider always gets cleared after each use, they are very similar unforunately
string keyMaterialString = CryptographicBuffer.EncodeToBase64String(keyMaterial);
string saltMaterialString = CryptographicBuffer.EncodeToBase64String(saltMaterial);
SymmetricKeyAlgorithmProvider symProvider = SymmetricKeyAlgorithmProvider.OpenAlgorithm("AES_CBC_PKCS7");
// create symmetric key from derived password key
CryptographicKey symmKey = symProvider.CreateSymmetricKey(keyMaterial);
// encrypt data buffer using symmetric key and derived salt material
IBuffer resultBuffer = CryptographicEngine.Encrypt(symmKey, plainBuffer, saltMaterial);
byte[] result;
CryptographicBuffer.CopyToByteArray(resultBuffer, out result);
return result;
public static string Decrypt(byte[] encryptedData, string pw, string salt)
IBuffer pwBuffer = CryptographicBuffer.ConvertStringToBinary(pw, BinaryStringEncoding.Utf8);
IBuffer saltBuffer = CryptographicBuffer.ConvertStringToBinary(salt, BinaryStringEncoding.Utf16LE);
IBuffer cipherBuffer = CryptographicBuffer.CreateFromByteArray(encryptedData);
// Derive key material for password size 32 bytes for AES256 algorithm
KeyDerivationAlgorithmProvider keyDerivationProvider = Windows.Security.Cryptography.Core.KeyDerivationAlgorithmProvider.OpenAlgorithm("PBKDF2_SHA1");
// using salt and 1000 iterations
KeyDerivationParameters pbkdf2Parms = KeyDerivationParameters.BuildForPbkdf2(saltBuffer, 1000);
// create a key based on original key and derivation parmaters
CryptographicKey keyOriginal = keyDerivationProvider.CreateKey(pwBuffer);
IBuffer keyMaterial = CryptographicEngine.DeriveKeyMaterial(keyOriginal, pbkdf2Parms, 32);
CryptographicKey derivedPwKey = keyDerivationProvider.CreateKey(pwBuffer);
// derive buffer to be used for encryption salt from derived password key
IBuffer saltMaterial = CryptographicEngine.DeriveKeyMaterial(derivedPwKey, pbkdf2Parms, 16);
// display the keys – because KeyDerivationProvider always gets cleared after each use, they are very similar unforunately
string keyMaterialString = CryptographicBuffer.EncodeToBase64String(keyMaterial);
string saltMaterialString = CryptographicBuffer.EncodeToBase64String(saltMaterial);
SymmetricKeyAlgorithmProvider symProvider = SymmetricKeyAlgorithmProvider.OpenAlgorithm("AES_CBC_PKCS7");
// create symmetric key from derived password material
CryptographicKey symmKey = symProvider.CreateSymmetricKey(keyMaterial);
// encrypt data buffer using symmetric key and derived salt material
IBuffer resultBuffer = CryptographicEngine.Decrypt(symmKey, cipherBuffer, saltMaterial);
string result = CryptographicBuffer.ConvertBinaryToString(BinaryStringEncoding.Utf16LE, resultBuffer);
return result;
public static string AES_Encrypt(string input, string pass)
SymmetricKeyAlgorithmProvider SAP = SymmetricKeyAlgorithmProvider.OpenAlgorithm(SymmetricAlgorithmNames.AesEcbPkcs7);
CryptographicKey AES;
HashAlgorithmProvider HAP = HashAlgorithmProvider.OpenAlgorithm(HashAlgorithmNames.Md5);
CryptographicHash Hash_AES = HAP.CreateHash();
string encrypted = "";
try
byte[] hash = new byte[32];
Hash_AES.Append(CryptographicBuffer.CreateFromByteArray(System.Text.Encoding.UTF8.GetBytes(pass)));
byte[] temp;
CryptographicBuffer.CopyToByteArray(Hash_AES.GetValueAndReset(), out temp);
Array.Copy(temp, 0, hash, 0, 16);
Array.Copy(temp, 0, hash, 15, 16);
AES = SAP.CreateSymmetricKey(CryptographicBuffer.CreateFromByteArray(hash));
IBuffer Buffer = CryptographicBuffer.CreateFromByteArray(System.Text.Encoding.UTF8.GetBytes(input));
encrypted = CryptographicBuffer.EncodeToBase64String(CryptographicEngine.Encrypt(AES, Buffer, null));
return encrypted;
catch (Exception ex)
return null;
public static string AES_Decrypt(string input, string pass)
SymmetricKeyAlgorithmProvider SAP = SymmetricKeyAlgorithmProvider.OpenAlgorithm(SymmetricAlgorithmNames.AesEcbPkcs7);
CryptographicKey AES;
HashAlgorithmProvider HAP = HashAlgorithmProvider.OpenAlgorithm(HashAlgorithmNames.Md5);
CryptographicHash Hash_AES = HAP.CreateHash();
string decrypted = "";
try
byte[] hash = new byte[32];
Hash_AES.Append(CryptographicBuffer.CreateFromByteArray(System.Text.Encoding.UTF8.GetBytes(pass)));
byte[] temp;
CryptographicBuffer.CopyToByteArray(Hash_AES.GetValueAndReset(), out temp);
Array.Copy(temp, 0, hash, 0, 16);
Array.Copy(temp, 0, hash, 15, 16);
AES = SAP.CreateSymmetricKey(CryptographicBuffer.CreateFromByteArray(hash));
IBuffer Buffer = CryptographicBuffer.DecodeFromBase64String(input);
byte[] Decrypted;
CryptographicBuffer.CopyToByteArray(CryptographicEngine.Decrypt(AES, Buffer, null), out Decrypted);
decrypted = System.Text.Encoding.UTF8.GetString(Decrypted, 0, Decrypted.Length);
return decrypted;
catch (Exception ex)
return null;
Both methods shown above are not giving the same result.
I would require the following scenario :
Plain Text : "login@123"
Key : "0123456789abcdef"
IV : "fedcba9876543210"
Hex : 356F65678C82C137BDBB2A2C8F824A68
Encrypted Text : 5oegåÇ¡7Ωª*,èÇJh
Request you to please suggest alternative to obtain the same AES Encryption using a Key and IV in Windows Phone.
Thanks in advance.
Regards,
Vinay DHi,
The encryption and decryption in : http://dotnetspeak.com/2011/11/encrypting-and-decrypting-data-in-winrt-2 is
not giving me the desired result.
I would require the following scenario :
Plain Text : "login@123"
Key : "0123456789abcdef"
IV : "fedcba9876543210"
Encrypted Text : 5oegåÇ¡7Ωª*,èÇJh
But what i am getting from the above link is :
I would require the following scenario :
Plain Text : "login@123"
Key : "0123456789abcdef"
IV : "fedcba9876543210"
Encrypted Text : NW9lZ4yCwTe9uyosj4JKaA==
As u can see the encrypted string is not the same and hence i would get a different decrypt string on the server.
I cannot change the server as it is in production and working with Android and IOS.
Regards,
Vinay D -
Hello
We are using the AES encryption algorithm as one of our systems. To be able to use the AES did the installation of files and local_policy.jar US_export_policy.jar the JVM.
On Windows and Linux 32-bit func, but did not work on Linux 64. returns the following error message: java.security.InvalidKeyException: Invalid AES key length: 31 bytes.
The policys above are different JDK for Linux 64?
What may be happening?I would suggest that you have not transferred your key correctly. You should note that keys are binary data and Strings should not be used to store binary data. It is possible that since you are using ASCII the two systems behave differently when converting a String to ASCII bytes. It would not surprise me if characters greater than 0x7f (which are not part of the ASCII set) are converted differently. Maybe somebody fixed a bug. Dump out in hex the bytes of your key created from key.getBytes("ASCII") in both systems and compare the two. I bet they are different.
P.S. Please enclose the code in a pair of tags when posting code. -
Accept Certificate when connecting to an SSID with WPA2-AES encryption.
When I try to Connect my Iphone to an SSID with WPA2-AES encryption,i need to accept the certificate and gets authenticated.When i switchover to different SSID and reconnect again to the same WPA2-AES SSID i do not get the Certificate accept page.
When i click on the Forget Network and deisconnect from the SSID and re-connect again,i will be prompted to acept the certificate.Is this a normal behavior in Iphone.
Any suggestions would be greatly appreciated.
Thanks and regards,
Sendhil BalakrishnanHi
with the config i have i seem to be able to login using either tkip or aes, but i don't think i have got mixed mode configured on the AP so it should only accept WPA2-AES encryption but it also accepts TKIP making me believe something is configured incorrectly.
should i change anything in the config on the AP to only allow WPA2-AES encryption?
many thanks
rogier -
Hi all,
Just looking at the AES standard, or wiki of it
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
It mentions that AES supports the following (in the notes just at the bottom of the web page)
Key sizes of 128, 160, 192, 224, and 256 bits are supported by the Rijndael algorithm, but only the 128, 192, and 256-bit key sizes are specified in the AES standard.
Block sizes of 128, 160, 192, 224, and 256 bits are supported by the Rijndael algorithm, but only the 128-bit block size is specified in the AES standard.
What does the WLCs use for an AES key size when you enable a WPA2 policy with AES encryption?
Many thx
Ken128 bits was supported on the autonomous code, so I'm sure the LWAPP solution also uses 128 bits with three possible key lengths 128, 192 and 256 bits.
-
AES Encryption No Longer Working
Last week we had users complaining that they could no longer connect to wireless. They were receiving a limited or no connectivity message. Upon researching the issue, I found that if I removed the AES encryption, from WPA2, users were able to connect again with TKIP. In speaking to a few admins, they stated that TKIP was the preferred method that was chosen years ago. My first question is this.....In our WLAN's, we had the options for WPA/TKIP-AES, and WPA2/TKIP-AES. I'm assuming this would allow the PC to use whichever encryption method was preferred. However, this doesn't seem to be the case. The PC chose AES, which caused the issue that they were having. Would this be something PC based? I'm assuming the controller only gives the ability. It won't actually dictate which encryption method is used, unless one of the options is turned off (like we did with AES). My second question is this....TKIP, being a weaker encryption method, isn't what I want our users using. How could I migrate to AES? Are there specific instructions to move from TKIP to AES? Is it more than just putting a check mark on the AES options, under WLAN security? Thanks for any help!
Its best to only use either WPA/TKIP or WPA2/AES, not both or a mix of either. This does cause issues with devices so its hit or miss. If you had configured everything for WPA2/TKIP, well... your stuck with a non standard IEEE setting, and you will have to just configure that on the WLC. It's the same if you were using WPA/AES.
The best way to move to a standard, is if your devices were domain machines and you can push out a GPO. Non domain machines, you would need to manually enter those unless you had a tool that manages them. -
Enable AES encryption on 1310 Wireless bridge
Hi All,
I have requirment to enable the AES encryption on the management VLAN traffic between connected root and non root bridges . can any one share the configuration guidelines please ??
below is the network setup .
Router<---->SW1 ( main office)--> Root-bridge < ---------->non root-bride------SW2 ( remote end site)
Apart from the specific configuration on the wireless bridge is any extra configuration required on the Switch interfaces??
Regards
LernerHello,
1. Make sure you are running version 12.3(7)JA or later since WPA2/AES was not always available for the 1310.
2. How do you currently have the root/non-root configured?
Ideally, adding AES shoudl be fairly straight forward. Keep in mind we recommend using WPA2 with AES.
configured on your root AND non-root:
dot11 ssid
authentication open
authentication key-management wpa version 2
interface do1
encryption mode ciphers aes-ccm -
What configurations need to Enable AES encryptions on call on Expressway-e ??
hi guys
i've cucm 10.5 without token, on this cucm i've one sx80 registered, the cucm is configured to B2B call using one expressway-c and express-e, the b2b call work fine, but now i need configured aes encrypcion to call from SX80 to internet endpoint and viceversa.
what configurations i need to enable aes encryptions on expressway-e?
thanks.Which browser are you using? Do you have Enable Java checked in it's preferences? When you get a message it's a good idea to write down exactly what it says rather than dismiss it and wonder later what it said about something.
-
I'm new to the cryptography area, so bear with me if I get things mixed up a bit.
Here is what I need to do - using AES encryption.
I have a stand-alone swing application that I need to encode certain sets of passwords and serial numbers.
These will be stored in a database and compared against user input strings.
Basically, I want to be able to store the key for the encryption in the program and use it for the encoding
and decoding.
I realize this is probably not the best way to handle this, but the security is not all that critical for this application.
Basically we just don't want someone fetching the data from the database without having to use the application to decrypt it.
I have seen several examples where a SecretKeySpec gets generated for each time the example is run,
an example is http://java.sun.com/developer/technicalArticles/Security/AES/AES_v1.html
but I have not been able to find anything where a "static" key is used for the encryption/decryption.
Can someone help me out here?
Thanks.From your usage description, there is no need to encrypt anything. Just store a hash (MD5, SHA-1, SHA256 etc) of the passwords and serial numbers. You then compare the hash of whatever the user enters with the hash stored in the DB.
-
AES Encryption - Encrypted value lengths
HI all -
I am attempting to use CF 8's AES encryption feature, and
have not found a critical piece of info in the docs to enable me to
progress.
I am using the function to encrypt a password that can be
from 6 to 16 characters long, which will be stored in a database. I
am using generateSecretKey("AES"), and that gives me a 24 character
key that I'm storing for future decryption use. I find that when I
use the key to encrypt a 6 character password the resulting
encrypted string is 32 characters long, but when I encrypt a 16
character password I get a 64 character encrypted string. This is
the case whether I specify "HEX" or "UU" as the encoding.
Without knowing how the length of the resulting encoded
string is determined, I cannot know how large to make my database
column. (MySQL's AES encryption gives the formula 16 ×
(trunc(string_length / 16) + 1) to arrive at the resulting string's
length, but that formula doesn't yield the results I'm seeing in
CFMX). Can anyone point me to a doc, or explain to me how to
determine the column length for storing the resulting encrypted
value?No. Only things like key, encoding and string size should
matter. If the encoding is "hex", 1-15 characters should produce
size 32, 16-31 characters should produce 64, etcetera. Unless space
is at a premium, you could always increase the field size if that
makes you feel more comfortable.
Well, the results are dictated by the AES standard and basic
string encoding rules, not CF. I highly doubt either one is going
to change any time soon ;-) I agree documentation is good. However,
unlike aes_encrypt, the encrypt function supports many different
algorithms. Most of which have a distinct set of rules. So it would
probably be difficult to provide accurate information about all of
them. Especially as the specifications for each one alone probably
spans volumes ;-) -
Dear all
I have two cisco airenet 1252 autonamous access point that are configured as point to point bridge. Now I want to confiure AES encryption or WPA2 using a pre-shared key however I do not see the option to do this . The only option I see under ciphers are:
wep 128
wep 40
TKIP
CKIP
CMIC
CKIP-CMIC
TKIP+WEP 128
TKIP+WEP 40
AES CCMP
AES CCMP + TKIP
AES CCMP + TKIP + WEP 128
AES CCMP + TKIP + WEP 40
Is it possible to use either AES or WPA2 using a pre-shared key on the 1252 autonamous access point? If possible please provide instruction preferably using the web interface.
Regards,
ScreechSure ..
This is WPA2 Enterprise -- but you will see the PSK commands below
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml
If you dont see these commands tehn you need to update your code.
- Go to Security > Encryption Manager > Select Cipher > AES CCMP from the drop down menu > Apply
- Go to Security > SSID Manager > Select (or create) the SSID > Link the SSID to the radio that you want
- Open authentication should be selected
- Key Management should be set to Mandatory
- "Enable WPA" needs to be checked
- Enter the Pre-Shared Key on the "WPA Pre-shared Key" field.
- Scroll down and click on the first apply (not the bottom one).
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Hi,
I need to encrypt a file in Java using AES, given an 'EncryptionKey'. The "EncryptionKey" will be given to me as a String. Later, the client needs to be able to decrypt it using the same "EncryptionKey", with ANY decryption tool.
I'm not sure how this can be done. The sample codes I saw online usually use a KeyGenerator to generate the Key. It seems like maybe I can use the "EncryptionKey" as a password, and use this password to generate a Key like this:
http://javaalmanac.com/egs/javax.crypto/PassKey.html
However, the link above uses DES. If I want to use AES, is it possible? Also, the client is not supposed to know anything about the salt and iteration count, all he knows is the "EncryptionKey".
Thanks a lot!The use of 'any' decryption tool needs to be constrained to those tools that support not just the prime encryption algorithm but also the secondary algorithms.
The code fragment I posted explicitly used
a) 'AES' as the prime encryption algorithm,
b) 'CBC' as the block mode,
c) 'PKCS5Padding' to pad the data to an integral number of blocks
and it implicitly used a separate Key and IV. It is possible to use a random IV and to send the IV as a prefix to the encrypted data. It is normal then to use a random IV so that no two messages use the the same IV. You could of course take a pragmatic approach and just use a fixed IV!
The JCE gives you other encryption algorithms, other block modes and other padding modes and, since it is really a framework, it can be extended to add in further algorithms and processing.
Further processing not included in the JCE could be applied. For example, the resultant encrypted data could be 'armored' by using Base64 or HEX encoding and it may be compressed before encryption.
As you can see, the 'devil is in the detail' and YOU have to decide how the data will be processed and therefore what algorithms any decryption tool must support.
The JCE gives you a set of building block but there are more operations (such as Base64 encoding) that may be needed. Using the JCE together with some 3rd party tools will allow you to create an encryption procedure that another tool will be able to decrypt BUT the other tool will need to specify what operations it performs to decrypt the data. You will need to study the decryption tool's manual to decide what operations you need to perform when encrypting your data.
If you need more general information then, as a starting point, there is an electronic book at http://www.cacr.math.uwaterloo.ca/hac/ and of course there is the JCE specification. -
AES Java performance numbers?
Anyone can provide me some performance numbers on AES Java implementations on different processors and with different JCE/JCA providers? I would like to know if a software implemenation of AES has good enough performance for my application or I have to go through hardware acceleration.
Thanks!if you care about AES performance it depends on a few things.
are you talking about substantial amounts of data encrypted all at
once ?
or are you talking about multiple requests from encrypted of small sizes.
or both.
java isn't very fast at IO so if you are reading and writing large files java
will certainly not perform great. in this case, switch to c (not hardware :))
if it's multiple requests make sure that this is your bottleneck - the encryption - it probably won't be.
but again, c (or a native language) is the best way to approach performance
for IO operations, or anything really :) i certainly wouldn't jump right to hardware
unless you really really need it.
Maybe you are looking for
-
Prezados, Após enviar a nota para a mensageria, e caso ocorra algum tipo de erro na validação do XML a mesma é retornada com o status de 999. Após ajustar a causa do erro, a partir do monitor, seleciono a nota e executo a opção u201CReinicializar sta
-
I have a bunch of old scanned photos in Aperture (current version - 3.5.1), and am trying to tidy up the metadata, especially the dates. This is turning out to be quite a task, as the date gaps between scans are all over the place. For example, in on
-
HT204204 i have updated my ipad but its coming up with an itunes sign and a wire can anyone help
Hi, so I haven't updated my ipad in a while. So I finally updated it, I haven't got any Apple charger as it broke so I use a supermarket charger which has a built in plug. my iPad screen is showing up with a iTunes Icon and a wire, it wont let me go
-
Videos not playing in itunes HELP
So I downgraded my iTunes 11 to 10.6 since I hate the new interface. But I've come with two roadblocks. 1) videos that I've purchased OR i want to preview before purchase will not play. they are just black screens and the timer does not move, there i
-
Logitech z5300e and Audigy 2 Zs h
When I try to play music or anything, the only channel that seems to be "working" is the center channel, and that is just pure static. Any ideas on the problem?