[Cryptography] Using Raspberry Pis
Nathan Dorfman
nd at rtfm.net
Sun Jan 5 20:04:20 EST 2014
On Mon, Aug 26, 2013 at 4:12 PM, Phillip Hallam-Baker <hallam at gmail.com>
wrote:
> I really like RPis as a cryptographic tool. The only thing that would make
> them better is a second Ethernet interface so they could be used as a
> firewall type device.
Anyone who is interested in a "home server/firewall" device like this may
want to look at the EdgeRouter Lite from Ubiquiti (~US$90-100). It can run
FreeBSD 10.0 -- with a full read/write filesystem, as the storage inside is
a regular 4GB USB flash drive. Currently, installing FreeBSD requires taking
out this flash drive and writing an image to it, as well as using a serial
console cable to change a bootloader setting. However, in the near future,
an installer that can easily be run from the factory OS should hopefully be
available.
I have ready-to-go FreeBSD images for the device available, as well as a
detailed guide to getting up and running, at http://rtfm.net/FreeBSD/ERL/. I
also have, of course, a simple shell script that can build identical images
from your own copy of the FreeBSD source tree, at
http://rtfm.net/FreeBSD/ERL/mkerlimage
Installing FreeBSD gives up some of the high-performance features of the
device, however, it still beats the pants off a Raspberry Pi. It also has
some hardware crypto support, and that also works in FreeBSD, if that's your
cup of tea.
Just two very preliminary tests:
1. iperf, between two gigabit PCs, with the ERL in the middle passing
packets only (no filtering):
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-30.0 sec 905 MBytes 253 Mbits/sec
More threads, same result:
[ ID] Interval Transfer Bandwidth
[ 5] 0.0-30.0 sec 229 MBytes 63.9 Mbits/sec
[ 6] 0.0-30.0 sec 262 MBytes 73.2 Mbits/sec
[ 8] 0.0-30.0 sec 203 MBytes 56.7 Mbits/sec
[ 7] 0.0-30.0 sec 211 MBytes 58.9 Mbits/sec
[SUM] 0.0-30.0 sec 904 MBytes 253 Mbits/sec
2. Encryption with and without the hardware-accelerated cipher mode, on a
50MB file in memory (tmpfs):
# df -h /tmp ; dd if=/dev/urandom of=50MB bs=10k count=5k
Filesystem Size Used Avail Capacity Mounted on
tmpfs 192M 4.0K 192M 0% /tmp
5120+0 records in
5120+0 records out
52428800 bytes transferred in 16.993329 secs (3085258 bytes/sec)
# for i in $CIPHERS ; do
echo -n "$i : "
time openssl enc -$i -nosalt -k 'nothing to hide' < 50MB > /dev/null
done
aes-256-cbc : 2.02 real 0.28 user 1.73 sys
aes-128-cbc : 1.95 real 0.24 user 1.71 sys
aes-256-ctr : 12.25 real 11.41 user 0.83 sys
aes-128-ctr : 9.45 real 8.58 user 0.85 sys
rc4 : 3.33 real 2.48 user 0.84 sys
I have yet to test any real setup, with packet inspection, NAT, and VPN, but
it's showing a lot of promise. Hopefully, someone out there finds this
useful... or better yet, wants to get involved with making things better.
-nd.
More information about the cryptography
mailing list