[Cryptography] Using Raspberry Pis

Nathan Dorfman nd at rtfm.net
Sun Jan 5 20:04:20 EST 2014


On Mon, Aug 26, 2013 at 4:12 PM, Phillip Hallam-Baker <hallam at gmail.com>
wrote:
> I really like RPis as a cryptographic tool. The only thing that would make
> them better is a second Ethernet interface so they could be used as a
> firewall type device.

Anyone who is interested in a "home server/firewall" device like this may
want to look at the EdgeRouter Lite from Ubiquiti (~US$90-100). It can run
FreeBSD 10.0 -- with a full read/write filesystem, as the storage inside is
a regular 4GB USB flash drive. Currently, installing FreeBSD requires taking
out this flash drive and writing an image to it, as well as using a serial
console cable to change a bootloader setting. However, in the near future,
an installer that can easily be run from the factory OS should hopefully be
available.

I have ready-to-go FreeBSD images for the device available, as well as a
detailed guide to getting up and running, at http://rtfm.net/FreeBSD/ERL/. I
also have, of course, a simple shell script that can build identical images
from your own copy of the FreeBSD source tree, at
http://rtfm.net/FreeBSD/ERL/mkerlimage

Installing FreeBSD gives up some of the high-performance features of the
device, however, it still beats the pants off a Raspberry Pi. It also has
some hardware crypto support, and that also works in FreeBSD, if that's your
cup of tea.

Just two very preliminary tests:

1. iperf, between two gigabit PCs, with the ERL in the middle passing
packets only (no filtering):

[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-30.0 sec   905 MBytes   253 Mbits/sec

More threads, same result:
[ ID] Interval       Transfer     Bandwidth
[  5]  0.0-30.0 sec   229 MBytes  63.9 Mbits/sec
[  6]  0.0-30.0 sec   262 MBytes  73.2 Mbits/sec
[  8]  0.0-30.0 sec   203 MBytes  56.7 Mbits/sec
[  7]  0.0-30.0 sec   211 MBytes  58.9 Mbits/sec
[SUM]  0.0-30.0 sec   904 MBytes   253 Mbits/sec

2. Encryption with and without the hardware-accelerated cipher mode, on a
50MB file in memory (tmpfs):

# df -h /tmp ;  dd if=/dev/urandom of=50MB bs=10k count=5k
Filesystem    Size    Used   Avail Capacity  Mounted on
tmpfs         192M    4.0K    192M     0%    /tmp
5120+0 records in
5120+0 records out
52428800 bytes transferred in 16.993329 secs (3085258 bytes/sec)

# for i in $CIPHERS ; do
echo -n "$i : "
time openssl enc -$i -nosalt -k 'nothing to hide' < 50MB > /dev/null
done
aes-256-cbc :         2.02 real         0.28 user         1.73 sys
aes-128-cbc :         1.95 real         0.24 user         1.71 sys
aes-256-ctr :        12.25 real        11.41 user         0.83 sys
aes-128-ctr :         9.45 real         8.58 user         0.85 sys
rc4 :         3.33 real         2.48 user         0.84 sys

I have yet to test any real setup, with packet inspection, NAT, and VPN, but
it's showing a lot of promise. Hopefully, someone out there finds this
useful... or better yet, wants to get involved with making things better.

-nd.




More information about the cryptography mailing list