[OpenWrt-Devel] [PATCH] [package] dropbear: enable sha2-based hmac by default.

Alive4Ever alive4ever at live.com
Wed Oct 8 14:32:53 EDT 2014


On Friday, October 03, 2014 01:55:29 PM Weedy wrote:
> Based off failed ciphers/macs
> no matching cipher found: client rijndael-cbc at lysator.liu.se server
> aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc
> no matching mac found: client hmac-ripemd160-etm at openssh.com server
> hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5
> 
> for cipher in 3des-cbc 3des-ctr aes128-cbc aes256-cbc aes128-ctr
> aes256-ctr; do for mac in hmac-md5 hmac-sha1 hmac-sha2-256
> hmac-sha2-512; do echo ""; echo "cipher: $cipher"; echo "mac: $mac"; for
> bah in 1 2 3; do dd if=/dev/zero bs=1M count=25 | ssh -c "$cipher" -m
> "$mac" -o "Compression no" root at openwrt.lan 'time cat - >/dev/null';
> echo ""; sleep 2; done; done; done
> 
> OpenSSH_6.6.1 connecting to TP-Link 4300, time to transfer 26MiB of junk
> to null. Best of three, my router is in use and not idle.
> 
> 3des-cbc
> +---------+----------+----------+----------+----------+
> |time\hmac|    md5   |   sha1   |  sha256  |  sha512  |
> +---------+----------+----------+----------+----------+
> | real    | 0m27.65s | 0m27.98s | 0m29.47s | 0m31.93s |
> | user    | 0m 0.05s | 0m 0.04s | 0m 0.02s | 0m 0.04s |
> | sys     | 0m 0.25s | 0m 0.22s | 0m 0.24s | 0m 0.22s |
> +---------+----------+----------+----------+----------+
> 
> aes128-cbc
> +---------+----------+----------+----------+----------+
> |time\hmac|    md5   |   sha1   |  sha256  |  sha512  |
> +---------+----------+----------+----------+----------+
> | real    | 0m12.07s | 0m12.62s | 0m13.61s | 0m16.05s |
> | user    | 0m 0.02s | 0m 0.03s | 0m 0.00s | 0m 0.02s |
> | sys     | 0m 0.27s | 0m 0.23s | 0m 0.21s | 0m 0.22s |
> +---------+----------+----------+----------+----------+
> 
> aes256-cbc
> +---------+----------+----------+----------+----------+
> |time\hmac|    md5   |   sha1   |  sha256  |  sha512  |
> +---------+----------+----------+----------+----------+
> | real    | 0m13.32s | 0m13.61s | 0m14.97s | 0m17.71s |
> | user    | 0m 0.02s | 0m 0.03s | 0m 0.03s | 0m 0.03s |
> | sys     | 0m 0.27s | 0m 0.23s | 0m 0.22s | 0m 0.28s |
> +---------+----------+----------+----------+----------+
> 
> aes128-ctr
> +---------+----------+----------+----------+----------+
> |time\hmac|    md5   |   sha1   |  sha256  |  sha512  |
> +---------+----------+----------+----------+----------+
> | real    | 0m12.64s | 0m12.80s | 0m13.74s | 0m16.19s |
> | user    | 0m 0.04s | 0m 0.02s | 0m 0.02s | 0m 0.01s |
> | sys     | 0m 0.18s | 0m 0.24s | 0m 0.17s | 0m 0.23s |
> +---------+----------+----------+----------+----------+
> 
> aes256-ctr
> +---------+----------+----------+----------+----------+
> |time\hmac|    md5   |   sha1   |  sha256  |  sha512  |
> +---------+----------+----------+----------+----------+
> | real    | 0m13.40s | 0m13.84s | 0m15.20s | 0m18.11s |
> | user    | 0m 0.01s | 0m 0.03s | 0m 0.02s | 0m 0.00s |
> | sys     | 0m 0.17s | 0m 0.16s | 0m 0.18s | 0m 0.24s |
> +---------+----------+----------+----------+----------+
> 
> 
> We should dump 3des-* and pick up arcfour*

Thanks for performing cipher speed test in addition with hmac test.
I realize that there is no need to enable stronger hash function for
hmac. The md5 collision attacks and 'predicted' sha1 collision attacks
are just affecting `pure` digest function. There is no known attack
affecting hmac-md5 or hmac-sha1, because hmac is not as simple as
digest. It's an advanced operation to verify deciphered message,
operating blocks by blocks repeatedly. It's sure hard to perform
collision attack on hmac, because the underlying layer is already
encrypted, for example by aes128-ctr cipher.

Currently, there is no formal advice to enable stronger digest for hmac.
The well known OpenSSH is still using hmac-md5 as default message
authentication algorithm, although it has added support for sha2-based
hmac since 5.9. To be specified, OpenSSH is using
hmac-md5-etm at openssh.com - a special extension added by OpenSSH to add
more security to hmac-md5 - if the server supports it.

IETF says that hmac-md5 isn't broken, although the md5 hash function is
considered weak to collision attacks.

https://www.ietf.org/mail-archive/web/cfrg/current/msg01202.html

There is no need to rush. I know that when the time comes, OpenWrt
developers will enable hmac-sha2 by default. Maybe years from now, or
when the dropbear upstream enables hmac-sha2 by default.
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list