Strong Encryption
Damien Miller
djm at mindrot.org
Sat Jul 10 01:08:10 EST 2004
Dan Kaminsky wrote:
>>Ben already said RC4 is the fastest encryption algorithm supported by SSH,
>>but it has some cryptographic weaknesses.
>
> Some? :-)
It has a bias and some key material leakage, though I doubt that these
could be used to build a practical attack, at last not in the context of
SSH. See: http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
Remember that cryptographers have very different versions of "attack"
and "weakness" to the rest of the world.
> Heh, since when was SHA-1 slower than ciphering?
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 4121.41k 12750.30k 30907.53k 47681.66k 56379.43k
rc4 79799.42k 87071.85k 94870.19k 95988.28k 96742.29k
HMAC is probably slower still and these numbers probably don't reflect
the speed that we achieve because currently we do a MAC ctx setup per
packet (IIRC).
Markus can post his AES benchmarks from his little VIA processor, they
are more fun still :)
>>The preferred encryption method is the counter mode CTR. CBC has some
>>small weaknesses; I personally don't consider them that severe.
>
> Given that SSH operates over TCP and thus has perfect record ordering
> and reconstruction, the advantages of CTR aren't nearly as great. I'm
> open to being corrected on this assertion, though :-)
See the discussion of cryptographic weaknesses in the SSH protocol
relating to the use of CBC and encrypt-then-MAC on ietf-ssh@ list about
18 months ago - again, (IMO) these were theoretical concerns.
-d
More information about the openssh-unix-dev
mailing list