AWS Open Source Blog

Amazon Introduces Amazon Corretto Crypto Provider (ACCP)

In October, 2018, we introduced Amazon Corretto, an open source, no-cost, multi-platform, production-ready distribution of the Open Java Development Kit (OpenJDK). At launch, we were focused on creating a high-quality, long-term supported distribution, with a few performance improvements. Today, we are pleased to release a major performance improvement feature: the Amazon Corretto Crypto Provider (ACCP).

Historically, Java cryptography has been slow and CPU-intensive. This affects us directly, as well as our customers, because Amazon operates some of the world’s largest Java services. Over years of production use, we have observed that cryptographic operations in Java caused significant CPU usage, throughput bottlenecks, and elevated operational cost. To solve these problems, we developed ACCP, then implemented, debugged, and have been tuning its performance in our own most critical production environments since 2017. We have updated dozens of cryptographic algorithms, enabling us to accelerate many different cryptographic workloads.

You can now enjoy this performance optimization in your own environments: with ACCP, we are introducing another supported distribution, ready for production use for JDK 8 and 11. The performance gains you might see will vary by algorithm and workload, but in benchmarking and live production use we have commonly seen service throughput improvements in excess of 25%. In general, slower algorithms and larger data sets will benefit the most from ACCP; as just one example, the AES-GCM algorithm with ACCP is over 28x faster than AES-GCM without ACCP.

What exactly is ACCP?

ACCP implements the standard Java Cryptography Architecture (JCA) interfaces and replaces the default Java cryptographic implementations with those provided by libcrypto from the OpenSSL project. ACCP allows you to take full advantage of assembly-level and CPU-level performance tuning, to gain significant cost reduction, latency reduction, and higher throughput across multiple services and products, as shown in the examples below.

Examples of ACCP performance improvements

AWS Snowball uses ACCP to run cryptographic functions about 20 times faster, doubling its data transfer speed. Amazon S3 and AWS IoT use ACCP to enable new cryptographic features that were previously too resource-intensive to deliver.

One AWS service that terminates TLS at the host level dramatically reduced its CPU utilization; in the graph below, you can see the difference before and after deploying ACCP.

AWS service that terminates TLS at the host level: graph showing dramatically reduced CPU utilization after deploying ACCP.

 

After implementing ACCP, another service reported a drop in peak CPU usage from ~66% to ~55%:

Graph showing an AWS service with a drop in peak CPU usage from ~66% to ~55% after implementing ACCP.

 

Another service reported a 40% reduction in fleet cost. Yet another increased its capacity by 32%.

How do I start using ACCP?

We have released ACCP as a standalone Maven package that works with any JDK that supports the JCA.

Here is an example Maven config:

<dependency>

<groupId>software.amazon.cryptools</groupId>

<artifactId>AmazonCorrettoCryptoProvider</artifactId>

<version>LATEST</version>

<classifier>linux-x86_64</classifier>

</dependency>
Bash

Add this line to your initialization code:

com.amazon.corretto.crypto.provider.AmazonCorrettoCryptoProvider.install()
Bash

Or, alternatively, add the following Java property to your programs command line:

-Djava.security.properties=/path/to/amazon-corretto-crypto-provider.security
Bash

For other integrations, including those that require no code changes, see the Amazon Corretto Crypto Provider readme.

What’s next?

We plan to integrate ACCP with Corretto so you’ll be able to skip installing the package, and just enable ACCP in your code or in configuration. Once that step is done, we will monitor customer feedback to decide whether we want to turn it on by default.

Please try out ACCP, participate in its development, and let us know what you think on on the Amazon Corretto Crypto Provider repo.

re:Invent 2019!

Learn more about Corretto at re:Invent in OPN304 – Migrating AWS Lambda’s front end from Java 8 to Java 11.

Greg Rubin

Greg Rubin

Greg Rubin is a Security Engineer and has been with Amazon since 2005. He focuses on making cryptography so easy to use correctly that people don't need to worry about it anymore. In his spare time he has an ever growing collection of musical instruments which he's trying to teach himself.

Yishai Galatzer

Yishai Galatzer

Yishai Galatzer is the manager of the Artifacts and Languages Group in AWS Developer Tools. His team builds and distributes Amazon Corretto, a no-cost, multiplatform, production-ready distribution of the OpenJDK. Yishai’s team built the JDK that powers Amazon’s services, and in 2018 released it under the Amazon Corretto brand for public consumption. Previously, Yishai worked on open source projects for Microsoft, leading the following .NET projects: NuGet, MVC and MVC Core, and WebAPI and Razor. You can find him on Twitter as @yigalatz or in the streets of Seattle, Washington.