Strange crypto choices

Christian Weisgerber naddy at mips.inka.de
Sun May 27 03:21:51 AEST 2018


On 2018-05-25, Yegor Ievlev <koops1997 at gmail.com> wrote:

> The defaults for HostKeyAlgorithms option are: [...]
> Why does OpenSSH prefer older and less secure
> (https://safecurves.cr.yp.to/) ECDSA with NIST curves over Ed25519?

I asked Markus and Damien about this in the past but honestly don't
remember the answer.  Some of the potential reasons (lack of
standardization, no DNS fingerprint, ...) seem to no longer apply.
I've been wanting to hassle Markus and Damien about this again,
once I run into them in person, but that opportunity hasn't presented
itself yet.

> Also why are smaller key, curve and hash sizes preferred over bigger
> ones?

Reasonable trade-off between security and performance.

> The default ciphers are: [...]
> Why is CTR mode preferred over GCM?

GCM performs poorly without hardware support for carry-less
multiplication.

> The default MACs are: [...]
> Why is UMAC preferred over HMAC? UMAC is less widely known and does
> not have as much research done on its security as HMAC.

UMAC has a security proof and performs very well.

-- 
Christian "naddy" Weisgerber                          naddy at mips.inka.de


More information about the openssh-unix-dev mailing list