AES-CCM [Was: Re: Question performnace of SSH v1 vs SSH v2]

[Andy Polyakov]

>> I have looked at implementing AES CCM, which could be much faster,
>> particularly on platforms with AES implemented in CPU instructions, but
>> it doesn't fit nicely in the cipher and MAC negotiation mechanism.
> 
> That would actually be amazingly cool.

Keep in mind that CCM mode calls encryption function twice per each 
block, meaning that it's ~2 as slow as encryption alone. Therefore 
performance gain can be observed only if hash function is slower than 
AES, which is not necessarily case. At least it's not the case with 
currently widely used hash functions. As of now hardware AES is 
virtually the only occasion, when it's beneficial to favor CCM over 
combination with e.g. SHA1 [provided that SHA1 is implemented in 
software], but as new slower hash functions are adopted, CCM becomes 
more attractive even for software-only systems. It makes sense to 
implement the mode algorithm at OpenSSL level [it would be possible to 
optimize it at lower level in both hardware and software cases], so 
when/if you figure out negotiation, give me a note. A.