Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
RE: [suse-security] which cipher for ssh2
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Fri, 25 Jan 2002 06:47:13 +0100
  • Message-id: <96C102324EF9D411A49500306E06C8D1A56CEE@xxxxxxxxxxxxxxxxx>
> Which cipher would be safest for ssh v2 ?
> I have to choose from AES 128-256 ,RC4,Twofish ,3DES,Blowfish?

Disclaimer note: This is all in some people's opinions. No liability is
accepted whatsoever. And it's from the back of my head, so take it with a
grain of salt.

First, a bit on *symmetric* key lengths, though. A cryptographer colleague
of mine says that nowadays, keys of 80 or 90 bits length (I forget which of
the two, it's less than 112 bits and that's the point) are considered
practically unbreakable by brute-force methods. This is a statistical fact,
because *on average* you need to test half of the keyspace to find the
correct key. Of course, you can be lucky in one attempt and find the key at
the first (or the first 10^x, x < e.g. 10) attempts, or be unlucky and have
to search the entire keyspace, which amounts to never being able to find the
key. It makes good sense to change symmetric keys regularly (SSH does this).
However, as long as the cipher algorithm is sound, currently 112 bits and
higher can be considered safe.

On a sidenote, it is also perfectly safe today to use 1024 bit RSA keypairs.
4096, 8192 or even more bits currently merely serve to induce a performance
penalty. 2048 bits are OK, too.

* AES (aka Rijndael): Is fast and should be pretty secure, has undergone
quite a bit of public verification in a good process (NIST AES challenge).
Some people have reservations about its security because it uses a
relatively new technique and IIRC doesn't use as many 'cycles' as they'd
like.

* RC4: Don't know much about it. It's used extensively on the Web.

* Twofish: Schneier's AES candidate made it into the final round and can
therefore be considered secure and fast. IIRC, it's slower than Rijndael,
though, inducing more of a performance hit. Whether that matters in your
case is a different matter. The choice between Twofish and Rijndael is
probably more of a matter of personal taste.

* 3DES: The classic. Safe and well tested, but real slow.

* Blowfish: Fast. Should be secure, but probably hasn't been cryptanalysed
as much as 3DES, Twofish and Rijndael, so there might be undiscovered
problems. I wouldn't sweat that personally, though, and use Blowfish or
Rijndael on old hardware.

Another note: All of the ciphers above are so hard to break that attackers
typically won't bother with them. Instead, they'll attack the endpoints,
i.e. SSH client and server. Remember the apache.org breakin. A legit user
had a trojaned, password-sniffing SSH client, which transmitted the
passwords to the attackers. The connection wasn't attacked, the endpoint
was. Similar as in Web attacks. Hackers currently don't often attack the
connection, be it SSL-encrypted or not. They attack the servers, it's still
so much easier.

Cheers
Tobias

< Previous Next >
Follow Ups