Andrew--

Funny, I was just talking about this with one of the dev guys.

Here's the problem--while what you're moving doesn't have any security
considerations(same here--but I'm moving GPG encrypted files), without a
cipher and the associated per-message authentication that goes with it, you
have no way to prevent an attacker from injecting arbitrary packets or
commands(like rm -rf *).

Sure, *you* might be sending trivial messages, but you can't predict
what *other* people will send. The crypto prevents their messages from
being meaningful.

SSH2 does have a real HMAC per-packet authenticator, and indeed might be
amenable to what you describe--essentially, something similar to AH-mode
IPSec. But someone else will have to say whether the HMAC is capable of
being used in this manner, and performance will never be as high as a
full-out null cipher.

Incidentally--if anyone out there is skilled at profiling code, I think
the SSH client could use a look. I think there are absolute limits embedded
in there as to how fast it may run, because it'll never use up as much CPU
as is available to it and will top out at 150-220K/s no matter the speed of
the client or server.

Yours Truly,

Dan Kaminsky, CISSP
http://www.doxpara.com

3des is extremely slow, slower by far than almost any other cipher in
common usage. I remember someone doing some time trials for different
ciphers and posting to the list a couple months ago - check the
archives. In any event, try blowfish or aes instead of 3des.
The scheme you're talking about isn't vulnerable to password sniffing, but
it _is_ vulnerable to hijacking. The crypto in this case is serving to
authenticate each individual packet as well as hide the data, so when you
get rid of the crypto, an attacker can take over either end of the
connection, inject packets (containing commands), etc, even though he
doesn't know the password.

That said, there are other authentication schemes that avoid sending
passwords in the clear. CHAP stores the password in the clear but never
sends it over the wire. OPIE (aka, S/Key) is even better as it neither
sends nor stores the password in the clear.

Before ssh was in wide use, I had my users use opie-ftpd.
You could also use crypto here too. Most webservers can trivially be ssl
wrapped (check out stunnel, sslproxy, etc), some webservers have native
support for openssl (apache + mod_ssl is particularly popular), and there
are many available ssl webclients (curl, lynx-ssl, etc). You can use
either HTTP authentication inside of the ssl stream, or, maybe better, you
can require both the client and the server to authenticate each other with
ssl certs. (These roughly correspond to password auth and public key auth
in ssh.) I'm sure that at least one of these combinations can be
configured with a fast, low overhead cipher.


-Jason

---------------------------
If the Revolution comes to grief, it will be because you and those you
lead have become alarmed at your own brutality. --John Gardner

I wonder where you got that 150-220K/s number. That's completely untrue.
I've scp'd, using a fast cipher like arcfour (blowfish isn't bad either),
files over 100baseTx LAN at the speed of over 5 MB/s or so.

It is supported for ssh2. ssh -2 -oCiphers=arcfour ...

-d

"scp -c none with RSA authentication"

does not protect the integrity of the data you transfer.

I've spent a bit of time measuring things between two SGI machines - old
and not-quite-so old. These are multiprocessor machines so the total CPU
effort is quite good for data analysis still though a single task like SSH
will lag a new Intel appreciably. I can't remember the clock speed -
120MHz or something on the older one I think though I believe the MIPS
chip needs less clock cycles per instruction than Pentium (and the
floating point's better)

SGI Irix 6.5 MIPSchip IP27 -> Irix 5.3 MIPSchip IP19 on 100BaseT

4Mb file times given in seconds (transfer time)/(including setup)
comands e.g. time scp2 -c twofish -P 8122 test.dat remote:/tmp

CIPHER
Transport none DES 3des blowfish twofish arcfour idea cast128 aes128 aes256 rijndael

NFS 2.0
ftp 5.3
HTTP 5.5
openssh 7/12 4/9 5/16 5/18 7/19 9/21 7/17
ssh1 5/6.5 10 22/24 7/8 6/6.2 13
ssh2 21/24 26/29 20/23 19/22 20/23 21/24
ssh1->openssh 11/11 5/5.4
ssh2->openssh 15/19 17/21 19/23
openssh->ssh1 21/28 6/11
openssh->ssh2 15/20 8/12 4/7 10/15

84Mb file
NFS 25.42
ftp 104.29
openssh arcfour 114/127
openssh blowfish 117/130

One of our users was talking about moving gigabytes; I'm not sure if a
single file or little ones. They had complained about the time taken
by ssh1 compared with ftp.

It looks like NFS is easily the fastest, then the unencrypted transfers
with arcfour/blowfish on OpenSSH close behind, if you ignore the setup
time (from when I hit return till when the activity indicator starts)
The system had a normal user load so times are not guaranteed.

Though of course, there's going to be a non-trivial expense associated
with MAC'ing. I have no numbers, but I would imagine that the time
associated with md5 hasing is of the same order as the time associated
with crypting equivalent amounts of data?


-Jason

---------------------------
If the Revolution comes to grief, it will be because you and those you
lead have become alarmed at your own brutality. --John Gardner