VPN Performance Tests For Different Ciphers and Key Strengths

Have Your Say, TUVPN News Add comments

Continuing with the lively discussion on our post about changing current TUVPN.COM cipher and as we promised there, we have performed a number of tests with different ciphers and key strength combinations that should allow us to take a final decision with better judgement and understanding of the results.

So without further delays, here you have the results:

To perform the test, we have used speedtest.net, connecting always to the same server in their network.

First, you have the results without VPN, so we can have a baseline to compare with.

For your information, the test laptop was located in Sweden and the VPN Servers we used for testing were Chicago and Steinsel.

Speedtest without running OpenVPN

TUVPN No OpenVPN speed test

Speedtest Default Cipher (BF-CBC) and Default Key Length (128bit) – Chicago VPN Server

TUVPN Blowfish 128 bit Chicago speed test

Speedtest Default Cipher (BF-CBC) and Default Key Length (128bit) – Steinsel VPN Server

TUVPN Blowfish 128 bit Steinsel speed test

Speedtest AES-CBC and 256bit key – Chicago VPN Server

TUVPN AES-CBC 256bit Chicago speed test

Speedtest AES-CBC and 256bit key – Steinsel VPN Server

TUVPN AES-CBC 256bit Steinsel speed test

Speedtest BF-CBC and 256bit key – Chicago VPN Server

TUVPN BF-CBC 256bit Chicago speed test

Speedtest BF-CBC and 256bit key – Steinsel VPN Server

TUVPN BF-CBC 256bit Steinsel speed test

 

Up to here we have just been playing with cipher and key length. So we have strengthened the data channel of the VPN.

As Timmi's very interesting comments on our last post point, we can also play with control channel security (the one which creates and maintains the VPN connection).

So now we have a new round of tests, playing too with the strength of the control channel encryption and also with the HMAC packet authentication.

For reference in the control channel we are currently using RSA 1024bit (encryption) and SHA-1-160bit (HMAC packet authentication).

Speedtest Default Cipher (BF-128-CBC) and RSA 2048bit + SHA-2-512bit – Chicago VPN Server

TUVPN BF-CBC 128bit RSA 2048bit SHA1 Chicago speed test

Speedtest Default Cipher (BF-128-CBC) and RSA 2048bit + SHA-2-512bit – Steinsel VPN Server
TUVPN BF-CBC 128bit RSA 2048bit SHA1 Steinsel speed test
Speedtest AES-CBC-256bit key and RSA 2048bit + SHA-2-512bit – Chicago VPN Server

TUVPN AES-CBC 256bit RSA 2048bit SHA1 Chicago speed test

Speedtest AES-CBC-256bit key and RSA 2048bit + SHA-2-512bit – Steinsel VPN Server

TUVPN AES-CBC 256bit RSA 2048bit SHA1 Steinsel speed test

Speedtest BF-CBC-256bit key and RSA 2048bit + SHA-2-512bit – Chicago VPN Server

TUVPN BF-CBC 256bit RSA 2048bit SHA1 Chicago speed test

Speedtest BF-CBC-256bit key and RSA 2048bit + SHA-2-512bit – Steinsel VPN Server

TUVPN BF-CBC 256bit RSA 2048bit SHA1 Steinsel speed test

 

Conclusion:

So now WHAT ? :P

First thing: TUVPN VPN servers are REALLY fast ! Well, we already knew that, but here it has been more than proved !

Second thing: Increasing the cipher strength to 256bit, with both AES or Blowfish, doesn't seem to penalise performance much. As expected, current configuration is faster, but not that much faster.

Third thing: Keeping current configuration and strengthening control channel security again doesn't inflict a noticeable damage to performance.

but

Fourth thing: Increasing BOTH data channel and control channel security AFFECTS VPN performance. We see a sustained 20% performance decrease.

 

So, considering that TUVPN's users give a lot of importance to the SPEED of our network, we would not go for a full blown security revamp of the network including both channels.

And, as most users prefer to increase data channel security vs control channel security (agree that many probably  don't know about control channel, but at the end of the day we are here, not only to instruct , but also to listen and act on the wishes of the majority of our users :)), we are willing to go in that direction.

About AES-CBC-256 or BF-CBC-256, we would have a preference for Blowfish as it has been working pretty well up to know, but let's see WHAT YOU HAVE TO SAY!

Hope something comes out of this, after so much work ! ;)


Go to TUVPN.COM

5 Responses to “VPN Performance Tests For Different Ciphers and Key Strengths”

  1. Timmi Says:

    I’m very pleased to see the results of all this and thank you for the work involved :)

    I agree that having both control & data channels upgraded would be too much of a hit and doesn’t surprise me. This is what happens on many there providers who assume they are offering gold dust when actually they are not and its overkill!

    Looking at the results carefully I think its a difficult decision and we could do with a vote poll in here for us to use?

    For me its between;

    BF-128-CBC with RSA 2048bit + SHA-2-512bit
    BF-CBC and 256bit key
    AES-CBC and 256bit key

    All three tests looked good ^ I see no problems with Blowfish, its still widely used at BF-128-CBC with various banks and private consumers with no problems and when AES is used on most banking sites, I have checked and its usually also 128 bits.

    As I stated in the other thread from a security article that mentioned in the year 2011 everyone who uses security that makes use of SHA-1 should upgrade to SHA-2.

    That being said and the upgrade in the RSA key I would be going with keeping the current data cipher as 128 bit Blowfish and upgrading the RSA & SHA keys.

    Something else to improve security could be to have the server keys change regularly and randomly to keep the security & integrity high. I dont know details on this but some providers do that hourly (They say?) so if the key was compromised it is changed quickly.

    My final vote is for BF at 256 bit. I would be happy with either but my concern is on that SHA-1 needing to be upgraded to SHA-2 at some stage either soon or future.

    Reasons for choosing Blowfish are that its proven to work … we have been using it on the servers touch wood with no problems at all, we trust in it and its not been cracked. Blowfish has no patents to it, no government patents to it, no back doors inside it either! Its open source free for all unlike AES which as I understand is patented, correct me if I’m wrong?

  2. hmm Says:

    hi stay with blowfish change the keys every hour if possible no to aes patented keep the server speed

  3. Blog TUVPN.COM - Change of TUVPN OpenVPN Cipher to AES-CBC with 256bit key Says:

    [...] with this blog post where we considered the options we had at hand and then continued with a performance analysis of each of the possible [...]

  4. Blog TUVPN.COM - TUVPN News: April Says:

    [...] already announced, and after long discussions with the community and our own testing, we are going to implement AES-CBC as our OpenVPN [...]

  5. Best Encrypted VPN | Best VPN.com Says:

    [...] the length) math necessary to encrypt and decrypt the keys. However, as real-world tests such as this one demonstrate, the impact can be pretty minimal, and it is unfair to criticise VPNs for trying to [...]

Leave a Reply

*

Get Your VPN NOW!

©2011 TUVPN.COM. All rights reserved.