RE: [PATCH] Add Chacha20-Poly1305 and AES-GCM ciphers

Sat, 09 May 2020 04:39:18 -0700 

Hello,

 

Previous patch adds regression: dbclient throws error "Sorry, I won't let you 
use password auth unencrypted." with Chacha20-Poly1305 negotiated despite the 
fact encryption is here.

Please refer fixed version attached, https://github.com/mkj/dropbear/pull/93 is 
also updated.

 

Best Regards, Vladislav Grishenko

 

From: Vladislav Grishenko <themiron...@gmail.com> 
Sent: Sunday, April 26, 2020 5:49 AM
To: dropbear@ucc.asn.au
Cc: 'Matt Johnston' <m...@ucc.asn.au>
Subject: [PATCH] Add Chacha20-Poly1305 and AES-GCM ciphers

 

Hello,

 

Chacha20-Poly1305 an AES-GCM are authenticated encryption ciphers, widely 
supported by multiple ssh servers and clients.

·        Chacha20-Poly1305 is faster than AES256 on CPU w/o dedicated AES 
instructions, having the same key size.

·        AES-GCM is combination of AES CTR mode and GHASH, slower than AES-CTR 
on CPU w/o dedicated AES/GHASH instructions.

Since LibTomCrypt has no AES/GHASH acceleration support (AES-NI/ARM AES/etc), 
AES-GCM is disabled by default, Chacha20-Poly1305 gets the highest prio.

 

Transferring 256Gb local file with scp on x86_64:

3des-cbc:                                                         16.8MB/s

aes128-cbc:                                                    57.1MB/s

aes256-cbc:                                                    52.1MB/s

aes128-ctr:                                                     56.8MB/s

aes256-ctr:                                                     51.7MB/s

aes128-...@openssh.com <mailto:aes128-...@openssh.com> :                      
42.1MB/s

aes256-...@openssh.com <mailto:aes256-...@openssh.com> :                      
39.0MB/s

chacha20-poly1...@openssh.com <mailto:chacha20-poly1...@openssh.com> :         
105.2MB/s

As seen, Chacha20-Poly1305 is ~two times faster than aes-ctr, aes-gcm highly 
relies on ghash therefore slower (or maybe LibTomCrypt approach is not really 
optimal).

 

So far, DROPBEAR_CHACHA20POLY1305 increases dropbear binary by ~5,5Kb on 
X86-64, DROPBEAR_ENABLE_GCM_MODE – by ~6kB, using LibTomCrypt routines.

Related PR against current sources is here  
<https://github.com/mkj/dropbear/pull/93> 
https://github.com/mkj/dropbear/pull/93

 

Also, current sources does not allow CBC & CTR modes to be fully disabled, 
resulting in build errors.

Independent PR against current sources is here  
<https://github.com/mkj/dropbear/pull/95> 
https://github.com/mkj/dropbear/pull/95

If both patches are applied, newly introduced sysoptions.h check needs to be 
enhanced with DROPBEAR_AEAD_MODE as well, I can’t make PR because it makes no 
sense unless both things are there.

In text form it will be just:

-#if !(DROPBEAR_ENABLE_CBC_MODE || DROPBEAR_ENABLE_CTR_MODE)

+#if !(DROPBEAR_ENABLE_CBC_MODE || DROPBEAR_ENABLE_CTR_MODE || 
DROPBEAR_AEAD_MODE)

 

Review and/or any suggestios will be highly appreciated.

 

Thank you and

Best Regards, Vladislav Grishenko

Attachment: 0001-Add-Chacha20-Poly1305-authenticated-encryption.patch
Description: Binary data

Reply via email to