IMG_6260

SSL on a Beaglebone Black: balancing performance with security

I’ve recent­ly set up a local serv­er on a Bea­gle­bone Black, which is a cred­it-card sized com­put­er with a 1GHz ARM Cor­tex-A8 proces­sor. I’m using it as a cloud serv­er to sync my cal­en­dar and con­tacts, hav­ing moved the own­Cloud instance (men­tioned the oth­er day) from my host­ed VPS to my local network.

I cre­at­ed a self-signed cer­tifi­cate author­i­ty and an SSL cert for the serv­er and dis­cov­ered that, con­trary to most of my expe­ri­ence run­ning com­mer­cial servers, SSL can add a huge load to a low-pow­ered server.

So I recre­at­ed the key and cert sev­er­al times at dif­fer­ent key lengths to see what the dif­fer­ence in com­pu­ta­tion­al com­plex­i­ty was. Here’s what I got: (these are all num­bers access­ing a PHP test page across a local net­work with ab1, so the only sig­nif­i­cant bot­tle­neck should be the load on the server.)

pro­to­col and key sizecom­plet­ed requests per secondmean time per response
http (no ssl)69.37 req/sec14ms
1024-bit key14.88 req/sec333ms
1536-bit key26.96 req/sec712ms
2048-bit key7.24 req/sec684ms
4096-bit key2.54 req/sec1951ms

Clear­ly on an admit­ted­ly under­pow­ered web­serv­er (though it was­n’t that long ago that we all ran huge sites on servers with few­er hors­es) SSL can make a huge hit on performance.

So for this pur­pose (sync­ing my address book and cal­en­dar) I’m stick­ing with a 1024-bit key. I’m the only user, but it makes a notice­able dif­fer­ence when access­ing own­Cloud in the brows­er where there are an unknown num­ber of AJAX requests made to the server.

My think­ing (for the moment any­how) is that even if 1024-bit key SSL is cracked once some­where that the com­pu­ta­tion­al expense will be too high for any­one to care about get­ting my address book. Grant­ed, they won’t know it’s my address book. The NSA could be record­ing every pack­et so that in 20 years they can decode it when the cost to decode is cheap. Or 10 years; who knows? The point is that by the time that they get at this data it will be stale. Peo­ple will have moved to new address­es and I’ll have already gone to the appoint­ments in my calendar.

For a com­mer­cial appli­ca­tion I still would­n’t ever use less than a 2048-bit key. If you don’t have the serv­er horse­pow­er to han­dle it, maybe you ought to rethink your busi­ness plan. But for per­son­al blogs who want to be part of the https every­where move­ment, maybe 1024-bit keys are good enough.

Maybe.


  1. Apache Bench­mark, a sim­ple tool for stress-test­ing web­servers. 
  2. The 1536-bit key is a strange anom­aly. Not sure what to make of it, but includ­ed the result for com­plete­ness’ sake. Or for chuck­les, take your pick. 

Leave a Reply