Displaying 20 results from an estimated 60000 matches similar to: "CIphers and Channels"
2023 Mar 29
1
[EXTERNAL] Re: ChaCha20 Rekey Frequency
That's true for block ciphers, but ChaCha20+poly1305 is a stream cipher.
On Wed, 29 Mar 2023, Robinson, Herbie wrote:
>
> I?m hardly an expert on this, but if I remember correctly, the rekey rate
> for good security is mostly dependent on the cipher block size.? I left my
> reference books at home; so, I can?t come up with a reference for you, but I
> would take Chris?
2023 Mar 29
1
[EXTERNAL] Re: ChaCha20 Rekey Frequency
I'm hardly an expert on this, but if I remember correctly, the rekey rate for good security is mostly dependent on the cipher block size. I left my reference books at home; so, I can't come up with a reference for you, but I would take Chris' "I'm deeply unsure of what impact that would have on the security of the cipher" comment seriously and switch to a cipher with a
2023 Mar 29
2
ChaCha20 Rekey Frequency
On Wed, 29 Mar 2023, Chris Rapier wrote:
> I was wondering if there was something specific to the internal chacha20
> cipher as opposed to OpenSSL implementation.
>
> I can't just change the block size because it breaks compatibility. I can do
> something like as a hack (though it would probably be better to do it with the
> compat function):
>
> if
2007 Sep 26
1
Inconsistent none cipher behavior
Using stock OpenSSH 4.7 I found different behavior when trying to
specify the use of the 'none' cipher depending on the command line
option nomenclature. This is under linux 2.6.19-web100
using -ocipher=none
[root at delta openssh-4.7p1-hpnv19]# /home/rapier/ssh47/bin/scp -S
/home/rapier/ssh47/bin/ssh -ocipher=none -P 2222 ~rapier/2gb
rapier at localhost:/dev/null
rapier at
2002 Oct 26
4
Different ciphers, MAC, compression for inbound and outbound .
Hi,
According to IETF draft draft-ietf-secsh-transport-14.txt, different
ciphers(encryption), MAC and compression can be used for one direction say
server-to-client and a completely different cipher, MAC and compression for
the other direction client-to-server of the same connection.
Is this supported today in OpenSSH, and if not, are there plans to support
it in any future releases of the code?
2006 May 19
1
New HPN Patch Released
The HPN12 patch available from
http://www.psc.edu/networking/projects/hpn-ssh addresses performance
issues with bulk data transfer over high bandwidth delay paths. By
adjusting internal flow control buffers to better fit the outstanding
data capacity of the path significant improvements in bulk data
throughput performance are achieved.
In other words, transfers over the internet are a lot
2008 Jan 16
2
Optional 'test' or benchmark cipher
I hope this is the right list, as I'm desiring a feature addition
in openssh. I would like the option to have a 'null' cipher (after
the initial authorization, similar to 'delayed' for compression).
It would have to be enabled on both client and server and server
would never use it unless it was both enabled and asked for by
the client.
I'd strongly prefer it be able to
2005 Jun 17
3
New Set of High Performance Networking Patches Available
http://www.psc.edu/networking/projects/hpn-ssh/
Mike Stevens and I just released a new set of high performance
networking patches for OpenSSH 3.9p1, 4.0p1, and 4.1p1. These patches
will provide the same set of functionality across all 3 revisions. New
functionality includes
1) HPN performance even without both sides of the connection being HPN
enabled. As long as the bulk data flow is in the
2012 May 30
3
SCTP support for OpenSSH
Hi,
I have written a patch to add SCTP support for OpenSSH on systems with SCTP capabilities with the following features:
- SCTP support can be configured with --with-sctp, but is disabled by default
- use SCTP for SSH connections instead of TCP
- SCTP's multi-homing is activated for all available addresses by default, if SCTP is used
- the sshd can be configured to listen with TCP, SCTP, or
2012 Apr 15
1
Legacy MACs and Ciphers: Why?
Why are legacy MACs (like md5-96), and legacy Ciphers (anything in
cbc-mode, arcfour*(?)) enabled by default?
My proposal would be to change the defaults for ssh_config and
sshd_config to contain:
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
...removing md5, truncated versions of sha1, umac64 (for
which I can find barely any review), any cipher in cbc
2023 Aug 05
1
Packet Timing and Data Leaks
On Thu, Aug 3, 2023 at 2:35?PM Chris Rapier <rapier at psc.edu> wrote:
>
> Howdy all,
>
> So, one night over beers I was telling a friend how you could use the
> timing between key presses on a type writer to extract information.
> Basically, you make some assumptions about the person typing (touch
> typing at so many words per second and then fuzzing the parameters
2023 Dec 20
1
Discussion: new terrapin resisting ciphers and macs (alternative to strict-kex) and -ctr mode question.
Hello,
in addition to my last thread about a new config option to make strict-kex mandatory,
I also wonder if a new mechanism for ciphers/macs can be introduced and is reliable
by simple both sides using it.
So there could be a Chacha20-Poly1305v2 at openssh.com which uses AD data to chain the
messages together, so it will be resistant against terrapin even without the strict-kex.
Consequently
2007 May 07
1
HPN SSH
Hello,
I know this has come up before; but is the HPN patch (or elements thereof)
currently being considered for integration in to the OpenSSH code base? Are
there pending issues (buffer management, none cipher, etc) which still need
to be addressed?
We have been using HPN-SSH for over a year now, and like others, have
observed significant performance improvement over standard OpenSSH. I can
2007 Jun 11
9
Recent MAC improvements
Hi,
There has been some recent work to improve the speed of the Message
Authentication Codes (MACs) that are used in OpenSSH.
The first improvement is a change from Markus Friedl to reuse the MAC
context, rather than reinitialising it for every packet. This saves two
calls to the underlying hash function (e.g. SHA1) for each packet. My
tests found that this yielded at 12-16% speedup for bulk
2023 Aug 17
21
[Bug 3603] New: ssh clients can't communicate with server with default cipher when fips is enabled at server end
https://bugzilla.mindrot.org/show_bug.cgi?id=3603
Bug ID: 3603
Summary: ssh clients can't communicate with server with default
cipher when fips is enabled at server end
Product: Portable OpenSSH
Version: 9.4p1
Hardware: All
OS: Linux
Status: NEW
Severity: critical
2001 Jan 08
2
openSSH: configure ciphers.
I see that:
SSH uses the following ciphers for encryption:
Cipher SSH1 SSH2
DES yes no
3DES yes yes
IDEA yes no
Blowfish yes yes
Twofish no yes
Arcfour no yes
Cast128-cbc no yes
Two ques re: sshd:
1) Using openssh, how do I configure which
2003 Dec 20
7
README.Solaris9-X86
The "--disable-strip" configure option is required as the Solaris9-X86
linker/loader will not be able to load any of the executables and will
display a "Killed" message. Similarly, 'ldd' will fail with a "file has
insecure interpreter" error message.
Performing a loader or ldd test from the OpenSSH installation directory on the
compiled executables within the
2023 Jun 10
1
Question About Dynamic Remote Forwarding
On Fri, 9 Jun 2023, Chris Rapier wrote:
> Hi all,
>
> When a client requests dynamic remote forwarding with -R it delays forking
> into the background. In ssh.c we see
>
> if (options.fork_after_authentication) {
> if (options.exit_on_forward_failure &&
> options.num_remote_forwards > 0) {
> debug("deferring postauth fork until
2023 Mar 29
1
ChaCha20 Rekey Frequency
I was wondering if there was something specific to the internal chacha20
cipher as opposed to OpenSSL implementation.
I can't just change the block size because it breaks compatibility. I
can do something like as a hack (though it would probably be better to
do it with the compat function):
if (strstr(enc->name, "chacha"))
*max_blocks = (u_int64_t)1 << (16*2);
2007 Nov 05
2
Logit function problems
I'm trying to collect some additional user information from the server
using the 'logit' function. For example, I'm trying to get the cipher,
mac, and compression status from kex.c in kex_chose_conf() with
logit("SSH: %s;Ltype: Kex;Enc: %s;MAC: %s:Comp: %s",
ctos ? "Server" : "Client",
newkeys->enc.name,
newkeys->mac.name,