HMAC-SHA256 versus GCM

Guus Sliepen guus at tinc-vpn.org
Thu Sep 19 22:25:10 CEST 2013


Hello,

Tinc 1.0 allowed you to choose a cipher and digest algorithm. However, it only
worked well with the cipher in CBC mode, and would always use a HMAC to
authenticate packets. For tinc 1.1, I have done some tests with different hash
algorithms but also with Galois Counter Mode (GCM). The HMAC contributes to a
large part of the CPU cycles spent on packets. Unfortunately, all the fast hash
algorithms are also the cryptographically weak ones. Instead of a HMAC, GCM
also provides authentication of packets, and it is much faster, particularly on
the latest Intel processors with AES and PCLMULQDQ instructions. Here are some
results from the sptps_speed utility: 

Processor                      AES-256-CTR+HMAC-SHA256     AES-256-GCM
----------------------------------------------------------------------
Intel Atom N270, 1.6 GHz                  59.48 Mbit/s    89.63 Mbit/s
Intel Atom 330, 1.6 GHz                   79.72 Mbit/s   238.11 Mbit/s
AMD Phenom II X4 965, 3.4 GHz            336.96 Mbit/s   478.66 Mbit/s
Intel Core i3-3220T, 2.8 GHz             543.64 Mbit/s     1.69 Gbit/s
Intel Core i7-3960X, 3.3 GHz             787.99 Mbit/s     5.60 Gbit/s

So I think I will change the SPTPS protocol to use GCM instead. GCM is a bit
more tricky to implement correctly than a HMAC though, but most of the caveats
are the same as for CTR mode.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20130919/37d65006/attachment.sig>


More information about the tinc mailing list