4

Mac Sierra recently deprecated blowfish, but I don't understand use-case differences of other ciphers. This is for testing a remote web project with X11Forwarding. I'm also curious about the last option,

ehacinom
  • 151
  • 1
  • 1
  • 6
  • 3
    The first three are counter mode AES, the cipher is AES and the mode is counter. 128,192,256 refers to the block (and key) size which is used. The larger block sizes also have a different number of rounds: 10, 12 or 14 respectively. There are also differences in how the round keys are derived. See here for more detail: http://crypto.stackexchange.com/questions/20/what-are-the-practical-differences-between-256-bit-192-bit-and-128-bit-aes-enc – Chris Jan 26 '17 at 10:55
  • 1
    AES GCM is the same cipher (in 128 and 256 bit block sizes) but with a different mode. Galois counter mode (GCM) is highly efficient and sometimes prefered for high throughput applications. – Chris Jan 26 '17 at 10:55
  • chacha20-poly1305 is a totally different cipher. ChaCha20 is a variant of the salsa stream cipher Poly1305 is a message authentication code (MAC) algorithm. Google adopted this in their TLS cipher suite shortly followed by OpenSSL. This decision was driven by the desire for better mobile device performance. – Chris Jan 26 '17 at 10:59
  • 1
    @Chris: AES block size is always 128; only the key size varies. And CTR and GCM are stream modes that don't use the block size anyway. fgrieu's answer is (and was) right. – dave_thompson_085 Jan 27 '17 at 05:11
  • @dave_thompson_085 thanks dave! I'd somehow overlooked that only the key size changes. – Chris Jan 27 '17 at 11:07

1 Answers1

9

CTR mode aims at confidentiality only; GCM additionally aims at integrity (catching attempts to forge or modify a message by one not holding the key, nor having some form of access to a device holding it).

The numbers 128, 192 and 256 are the key size in bits. 128 bits of key is secure enough for most purposes; 192 (or more) is enough for all purposes, except when there is a regulatory requirement for even more. AES192 (resp. AES256) is slower than AES128 by roughly 20% (resp. 40%).

Chacha20-Poly1305 is functionally comparable to AES128-GCM (giving confidentiality and integrity), but is easier to implement securely and efficiently, especially without AES support in hardware.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • 4
    Note SSH traditionally uses a 'cipher' for confidentiality and a separate 'mac' (usually HMAC) for integrity; AEAD/combined schemes like GCM and ChaCha/Poly (where the 'cipher' is also the 'mac') are fairly recent. – dave_thompson_085 Jan 27 '17 at 05:11
  • for i in `ssh -Q cipher`; do dd if=/dev/zero bs=1M count=100 2> /dev/null | ssh -c $i localhost "(time -p cat) > /dev/null" 2>&1 | grep real | awk '{print "'$i': "100 / $2" MB/s" }'; done shows for me that aes256-ctr is the fastest (faster than aes128-ctr), but that [email protected] is faster than [email protected]. – inetknght Dec 13 '19 at 16:33