Wednesday, May 15, 2013

Faster cipher in OpenSSH

The default cipher used with ssh and scp version 1 (3des) is very secure but slow. Version 2 improved on that with support for more ciphers and by default the fastest are used. I wanted to find out what cipher is the fastest. Warning: change the cipher only if strong security is unimportart (e.g. when transferring between two servers in a trusted LAN).

In the test script below I created a half GB binary file with random content on my Linux laptop:

laptop $ dd if=/dev/urandom of=ciphertest.data bs=1M count=512
laptop $ hexdump ciphertest.data |head
0000000 7de0 ce1a 6468 b677 31f4 e899 4271 ee91
0000010 c103 1fdf 886b b91f edf6 f05b 59a3 ec03
0000020 2f6d 47bf 92d4 d0df b695 1217 ddfe edfe
0000030 7f98 f65e e69c 94b0 5113 f66d 608a 7b49
0000040 6750 21ea ebe6 2e54 4ff1 e3c5 ac56 9ae8
0000050 f186 99a1 7c8f f9c7 95c3 8dc1 26d3 3014
0000060 a0ec 139a 62df e07c 69db 9008 7775 75dd
0000070 9009 4e56 9f5c cc2f 6ebd 08ce 5c45 e2b0
0000080 f8a6 5c08 a143 ea81 d966 416f e5b0 88c8
0000090 2eb0 0b1c 8cf9 fc35 7131 36ee 1ee4 0958

then I transfer this file to an idle VM hosted by my same PC using all ciphers available. To avoid typing the password many times, I set up key-based authentication:

$ ssh-keygen
...
$ ssh-copy-id ant@192.168.14.70

Here is the script ciphertest.sh:

#!/bin/bash
# Measures speed of different SSH ciphers.
# Before, you may want to run:
# $ ssh-keygen
# $ ssh-copy-id $USER_HOST
# to save time on typing passwords. If your key is encrypted with a passphrase
# you better fire up an ssh agent or you will have to type the passphrase many times.
# $ eval $(ssh-agent)
# $ ssh-add ~/.ssh/id_dsa

# You can find this list in ssh_config(5) CIPHERS=(3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr \
aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com arcfour128 \
arcfour256 arc‐four blowfish-cbc cast128-cbc)
USER_HOST="ant@192.168.14.70"

TMPFILE=$(mktemp)
echo -n "Generating random file. Please wait... "
dd if=/dev/urandom of=$TMPFILE bs=1M count=512
echo "done!"

for cypher in "${CIPHERS[@]}"; do
echo $cypher
scp -c $cypher $TMPFILE "$USER_HOST:ciphertest.data"
echo
done
ssh "$USER_HOST" rm ciphertest.data

rm $TMPFILE

and here are the results:

$ ./ciphertest.sh
Generating random file. Please wait... 512+0 records in
512+0 records out
536870912 bytes (537 MB) copied, 37.1943 s, 14.4 MB/s
done!
3des-cbc
tmp.pmPSfoUGqT 100% 512MB 13.5MB/s 00:38

aes128-cbc
tmp.pmPSfoUGqT 100% 512MB 46.6MB/s 00:11

aes192-cbc
tmp.pmPSfoUGqT 100% 512MB 46.6MB/s 00:11

aes256-cbc
tmp.pmPSfoUGqT 100% 512MB 42.7MB/s 00:12

aes128-ctr
tmp.pmPSfoUGqT 100% 512MB 51.2MB/s 00:10

aes192-ctr
tmp.pmPSfoUGqT 100% 512MB 46.6MB/s 00:11

aes256-ctr
tmp.pmPSfoUGqT 100% 512MB 46.6MB/s 00:11

aes128-gcm@openssh.com
tmp.pmPSfoUGqT 100% 512MB 42.7MB/s 00:12

aes256-gcm@openssh.com
tmp.pmPSfoUGqT 100% 512MB 42.7MB/s 00:12

arcfour128
tmp.pmPSfoUGqT 100% 512MB 51.2MB/s 00:10

arcfour256
tmp.pmPSfoUGqT 100% 512MB 46.6MB/s 00:11

arcfour
tmp.pmPSfoUGqT 100% 512MB 51.2MB/s 00:10

blowfish-cbc
tmp.pmPSfoUGqT 100% 512MB 32.0MB/s 00:16

cast128-cbc
tmp.pmPSfoUGqT 100% 512MB 32.0MB/s 00:16

No comments: