openssh unix dev - Dec 2013 - Cipher preference

When testing chacha20-poly1305, I noticed that aes-gcm is significantly
faster than aes-ctr or aes-cbs with umac.  Even on systems w/o aes-ni
or other recent instruction set additions.

And there seems to be consensus in the crypto community that AEAD
ciphers are the way forward.

As such, it promoting the AEAD ciphers to the head of the preference
list looks like a good idea.

That would mean either:

#define KEX_DEFAULT_ENCRYPT \
        AESGCM_CIPHER_MODES \
        "chacha20-poly1305 at openssh.com," \
        "aes128-ctr,aes192-ctr,aes256-ctr," \
        "arcfour256,arcfour128," \
        "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
        "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se"

or:

#define KEX_DEFAULT_ENCRYPT \
        "chacha20-poly1305 at openssh.com," \
        AESGCM_CIPHER_MODES \
        "aes128-ctr,aes192-ctr,aes256-ctr," \
        "arcfour256,arcfour128," \
        "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
        "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se"

The fact that AESGCM_CIPHER_MODES expands to "" when compiled against
versions of openssl which lack EVPGCM may put a damper in that, but
perhaps it still seems better to use whichever AEADs are available
whenever they are available.

-JimC
--
James Cloos <cloos at jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

On Mon, 30 Dec 2013, James Cloos wrote:
> When testing chacha20-poly1305, I noticed that aes-gcm is significantly
> faster than aes-ctr or aes-cbs with umac.  Even on systems w/o aes-ni
> or other recent instruction set additions.
> 
> And there seems to be consensus in the crypto community that AEAD
> ciphers are the way forward.
Lots of cryptographers also think that AES-GCM is fiendishly difficult
to get right, especially wrt timing leaks. That, and it's relative
newness in OpenSSH are the reasons it is not the default.

-d

James Cloos <cloos at jhcloos.com> wrote:
> When testing chacha20-poly1305, I noticed that aes-gcm is significantly
> faster than aes-ctr or aes-cbs with umac.  Even on systems w/o aes-ni
> or other recent instruction set additions.
No way.  This disagrees completely with what I'm seeing:

On Sandy Bridge systems with AES-NI, aes128-gcm is about as fast
as aes128-ctr+umac-64.

On x86-64 systems without AES-NI, aes128-gcm is slower than
aes128-ctr+umac-64.  (OpenSSL 1.0.1c, 1.0.1e)

On other systems without AES-NI or the benefit of assembly language
optimizations in OpenSSL, aes128-gcm is painfully slower than
aes128-ctr+umac-64.  (OpenSSL 1.0.1c)

-- 
Christian "naddy" Weisgerber                          naddy at
mips.inka.de