Skip to content

Latest commit

 

History

History
100 lines (81 loc) · 4.8 KB

methods.rst

File metadata and controls

100 lines (81 loc) · 4.8 KB

Encryption & authentication methods

fastd supports various combinations of ciphers and authentication schemes using different method providers. All ciphers, message authentication codes (MACs) and method providers can be disabled during compilation to reduce the binary size.

See Benchmarks for an overview of the performance of the different methods.

Recommended methods

The method salsa2012+umac is recommended for authenticated encyption. null+salsa2012+umac is the recommended method for authenticated-only operation.

Salsa20/12 is a stream cipher with very high speed and a very comfortable security margin. It has been chosed for the software profile in the eSTREAM project in 2008.

UMAC is an extremely fast message authentication code which is provably secure and optimized for software implementations.

OpenWrt

Too keep the binary as small as possible, only the following methods are enabled on OpenWrt by default:

  • salsa2012+gmac
  • salsa2012+umac
  • null+salsa2012+gmac
  • null+salsa2012+umac
  • null

Of these, the GMAC-based methods may be dropped in the future to further reduce the binary size, as UMAC is the superior authentication scheme (it is faster than GMAC, provably secure and its software implementation isn't suspect to timing side channels).

List of methods

Encrypted methods

Method Method provider Cipher MAC Notes
aes128-gcm generic-gmac aes128-ctr ghash [2]
salsa20+gmac generic-gmac salsa20 ghash  
salsa2012+gmac generic-gmac salsa2012 ghash  
aes128-ctr+umac generic-umac aes128-ctr uhash [2]
salsa20+umac generic-umac salsa20 uhash  
salsa2012+umac generic-umac salsa2012 uhash  
aes128-ctr+poly1305 generic-poly1305 aes128-ctr none [1] [2], [3]
salsa20+poly1305 generic-poly1305 salsa20 none [1] [3]
salsa2012+poly1305 generic-poly1305 salsa2012 none [1] [3]

This list is not exhaustive. It is possible to combine different ciphers for data and authentication tag encryption using the composed-gmac and composed-umac method providers; these methods aren't listed here as this is not very useful.

Authenticated-only methods

Method Method provider Cipher MAC Notes
null+aes128-gmac composed-gmac aes128-ctr ghash [2], [4]
null+salsa20+gmac composed-gmac salsa20 ghash [4]
null+salsa2012+gmac composed-gmac salsa2012 ghash [4]
null+aes128-ctr+umac composed-umac aes128-ctr uhash [2], [4]
null+salsa20+umac composed-umac salsa20 uhash [4]
null+salsa2012+umac composed-umac salsa2012 uhash [4]

Methods without security

Method Method provider Cipher MAC Notes
null null none none [5]

Deprecated methods

Method Method provider Cipher MAC Notes
xsalsa20-poly1305 xsalsa20-poly1305 none none [6]
Since fastd v11 salsa20+poly1305 should be used instead (or even better a more performant method like salsa2012+gmac); xsalsa20-poly1305 will be removed eventually.
[1](1, 2, 3) The MAC is integrated in the method provider.
[2](1, 2, 3, 4, 5) AES is very slow without OpenSSL support. OpenSSL's AES implementation may be suspect to cache timing side channels when no hardware support like AES-NI is available.
[3](1, 2, 3) Poly1305 is very slow on embedded systems.
[4](1, 2, 3, 4, 5, 6) The cipher is used to encrypt the authentication tag only, the actual data is transmitted unencrypted.
[5]Only authentication of peers' IP addresses, but no encryption or authentication of any data is provided.
[6]Both the cipher and the MAC are integrated in the method provider.