Recent MAC improvements

[Damien Miller]

Hi,

There has been some recent work to improve the speed of the Message
Authentication Codes (MACs) that are used in OpenSSH.

The first improvement is a change from Markus Friedl to reuse the MAC
context, rather than reinitialising it for every packet. This saves two
calls to the underlying hash function (e.g. SHA1) for each packet. My
tests found that this yielded at 12-16% speedup for bulk transfers to
localhost using HMAC-MD5 and arcfour256. HMAC-SHA1 should see an even
bigger improvement, because SHA1 is a more expensive hash function.

The second improvement is Peter Valchev's addition of a new MAC: Ted
Krovetz' UMAC-64[1]. This MAC uses a very different approach than the
HMACs that OpenSSH currently supports, and it comes with a nice security
proof that guarantees its resistance so long as its underlying block
cipher (AES) remains cryptologically intact. Testing (bulk transfers to
localhost using arcfour256) found UMAC-64 to perform 20% better than
HMAC-MD5, and 28% faster than HMAC-SHA1. This new MAC may be selected
by specifying "MACs=umac-64 at openssh.com" in a server or client config.

These changes need testing on as many platforms as possible. In particular
we are interested in the following corner cases:

- Old OpenSSL version (0.9.5ish)
- Testing between big and little endian machines (i386 vs. sparc for example)
- Testing between previous OpenSSH versions and -current
- Testing on strict alignment architectures like Alpha and Itanium

Please report your findings to the mailing list.

-d

[1] http://fastcrypto.org/umac/