[PATCH] Add Chacha20-Poly1305 and AES-GCM ciphers

Vladislav Grishenko themiron.ru at gmail.com
Sat May 9 19:38:16 AWST 2020 

Hello,

 

Previous patch adds regression: dbclient throws error "Sorry, I won't let you use password auth unencrypted." with Chacha20-Poly1305 negotiated despite the fact encryption is here.

Please refer fixed version attached, https://github.com/mkj/dropbear/pull/93 is also updated.

 

Best Regards, Vladislav Grishenko

 

From: Vladislav Grishenko <themiron.ru at gmail.com> 
Sent: Sunday, April 26, 2020 5:49 AM
To: dropbear at ucc.asn.au
Cc: 'Matt Johnston' <matt at ucc.asn.au>
Subject: [PATCH] Add Chacha20-Poly1305 and AES-GCM ciphers

 

Hello,

 

Chacha20-Poly1305 an AES-GCM are authenticated encryption ciphers, widely supported by multiple ssh servers and clients.

·        Chacha20-Poly1305 is faster than AES256 on CPU w/o dedicated AES instructions, having the same key size.

·        AES-GCM is combination of AES CTR mode and GHASH, slower than AES-CTR on CPU w/o dedicated AES/GHASH instructions.

Since LibTomCrypt has no AES/GHASH acceleration support (AES-NI/ARM AES/etc), AES-GCM is disabled by default, Chacha20-Poly1305 gets the highest prio.

 

Transferring 256Gb local file with scp on x86_64:

3des-cbc:                                                         16.8MB/s

aes128-cbc:                                                    57.1MB/s

aes256-cbc:                                                    52.1MB/s

aes128-ctr:                                                     56.8MB/s

aes256-ctr:                                                     51.7MB/s

aes128-gcm at openssh.com <mailto:aes128-gcm at openssh.com> :                      42.1MB/s

aes256-gcm at openssh.com <mailto:aes256-gcm at openssh.com> :                      39.0MB/s

chacha20-poly1305 at openssh.com <mailto:chacha20-poly1305 at openssh.com> :         105.2MB/s

As seen, Chacha20-Poly1305 is ~two times faster than aes-ctr, aes-gcm highly relies on ghash therefore slower (or maybe LibTomCrypt approach is not really optimal).

 

So far, DROPBEAR_CHACHA20POLY1305 increases dropbear binary by ~5,5Kb on X86-64, DROPBEAR_ENABLE_GCM_MODE – by ~6kB, using LibTomCrypt routines.

Related PR against current sources is here  <https://github.com/mkj/dropbear/pull/93> https://github.com/mkj/dropbear/pull/93

 

Also, current sources does not allow CBC & CTR modes to be fully disabled, resulting in build errors.

Independent PR against current sources is here  <https://github.com/mkj/dropbear/pull/95> https://github.com/mkj/dropbear/pull/95

If both patches are applied, newly introduced sysoptions.h check needs to be enhanced with DROPBEAR_AEAD_MODE as well, I can’t make PR because it makes no sense unless both things are there.

In text form it will be just:

-#if !(DROPBEAR_ENABLE_CBC_MODE || DROPBEAR_ENABLE_CTR_MODE)

+#if !(DROPBEAR_ENABLE_CBC_MODE || DROPBEAR_ENABLE_CTR_MODE || DROPBEAR_AEAD_MODE)

 

Review and/or any suggestios will be highly appreciated.

 

Thank you and

Best Regards, Vladislav Grishenko

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20200509/503bef9d/attachment-0001.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-Chacha20-Poly1305-authenticated-encryption.patch
Type: application/octet-stream
Size: 23776 bytes
Desc: not available
Url : https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20200509/503bef9d/attachment-0001.obj

More information about the Dropbear mailing list