HMAC-SHA256 versus GCM
Guus Sliepen
guus at tinc-vpn.org
Thu Sep 19 22:25:10 CEST 2013
Hello,
Tinc 1.0 allowed you to choose a cipher and digest algorithm. However, it only
worked well with the cipher in CBC mode, and would always use a HMAC to
authenticate packets. For tinc 1.1, I have done some tests with different hash
algorithms but also with Galois Counter Mode (GCM). The HMAC contributes to a
large part of the CPU cycles spent on packets. Unfortunately, all the fast hash
algorithms are also the cryptographically weak ones. Instead of a HMAC, GCM
also provides authentication of packets, and it is much faster, particularly on
the latest Intel processors with AES and PCLMULQDQ instructions. Here are some
results from the sptps_speed utility:
Processor AES-256-CTR+HMAC-SHA256 AES-256-GCM
----------------------------------------------------------------------
Intel Atom N270, 1.6 GHz 59.48 Mbit/s 89.63 Mbit/s
Intel Atom 330, 1.6 GHz 79.72 Mbit/s 238.11 Mbit/s
AMD Phenom II X4 965, 3.4 GHz 336.96 Mbit/s 478.66 Mbit/s
Intel Core i3-3220T, 2.8 GHz 543.64 Mbit/s 1.69 Gbit/s
Intel Core i7-3960X, 3.3 GHz 787.99 Mbit/s 5.60 Gbit/s
So I think I will change the SPTPS protocol to use GCM instead. GCM is a bit
more tricky to implement correctly than a HMAC though, but most of the caveats
are the same as for CTR mode.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20130919/37d65006/attachment.sig>
More information about the tinc
mailing list