Phooraalai
2014-Jan-07 09:45 UTC
max rsa key length, sym. cipher and digest recommendations ?
Hello, I understand that I can use the openssl ciphers and digests available on my systems, i.e. those in the list generated by "openssl list-cipher-commands" and "openssl list-message-digest-algorithms". I want to create a admin vpn network between my servers and my workplace. Network throughput is not a big issue, I am using ssh and the cli, however I would also do incremental rsync backups over this vpn. What are the recommendations for rsa key lengths, the cipher and the digest algo ? Blowfish as the symmetric cipher seems ok to me. Would aes-256-cbc benefit from the aes acceleration in modern cpus ? Would cipher=aes-256-cbc work in my host configuration files ? The documentation ( man 5 tinc.conf ) says that sha1 is the default digest. What about using sha512? Any huge performance penalty that I would have to know about ? Would digest=sha512 work in my host configuration files ? What is the max rsa key length supported by tinc when running tincd -n NETNAME -KXXXX to generate the asym. rsa key? 4096, 8192, 16384 ? Is there somewhere a write up of the steps to build my own .deb packages for debian wheezy and ubuntu 12.04 ? Thanks
Guus Sliepen
2014-Jan-07 10:18 UTC
max rsa key length, sym. cipher and digest recommendations ?
On Tue, Jan 07, 2014 at 10:45:04AM +0100, Phooraalai wrote:> I understand that I can use the openssl ciphers and digests available on > my systems, i.e. those in the list generated by "openssl > list-cipher-commands" and "openssl list-message-digest-algorithms".That is correct.> I want to create a admin vpn network between my servers and my > workplace. Network throughput is not a big issue, I am using ssh and the > cli, however I would also do incremental rsync backups over this vpn. > > What are the recommendations for rsa key lengths, the cipher and the > digest algo ?The default values are already pretty good (2048 bits RSA keys, Blowfish-CBC, and SHA1).> Blowfish as the symmetric cipher seems ok to me. Would aes-256-cbc > benefit from the aes acceleration in modern cpus ? > > Would cipher=aes-256-cbc work in my host configuration files ?Yes, that would work.> The documentation ( man 5 tinc.conf ) says that sha1 is the default > digest. What about using sha512? Any huge performance penalty that I > would have to know about ? > > Would digest=sha512 work in my host configuration files ?That would work, but SHA512 is twice as slow as SHA1. If you are using the AES cipher on a CPU which accelerates AES, then the digest algorithm will be the largest consumer of CPU time, so if you don't want to lose the benefit of AES you should stick to SHA1.> What is the max rsa key length supported by tinc when running tincd -n > NETNAME -KXXXX to generate the asym. rsa key? 4096, 8192, 16384 ?Any length up to 8192 bits is supported by tinc. You also don't have to use powers of two, for example you can also use 6000 bits keys.> Is there somewhere a write up of the steps to build my own .deb packages > for debian wheezy and ubuntu 12.04 ?The easiest way is to run "apt-get source tinc" to get the source of the tinc package, then to make any modifications you want, and then run "debuild" (debuild is part of the devscripts package). -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20140107/bc2a35e3/attachment.sig>