Encryption & authentication methods¶
fastd supports various combinations of ciphers and authentication schemes using different method providers. All ciphers, message authentication codes (MACs) and method providers can be disabled during compilation to reduce the binary size.
See Benchmarks for an overview of the performance of the different methods.
Recommended methods¶
The method salsa2012+umac is recommended for authenticated encyption. null+salsa2012+umac is the recommended method for authenticated-only operation.
Salsa20/12 is a stream cipher with very high speed and a very comfortable security margin. It has been chosed for the software profile in the eSTREAM project in 2008.
UMAC is an extremely fast message authentication code which is provably secure and optimized for software implementations.
OpenWrt¶
Too keep the binary as small as possible, only the following methods are enabled on OpenWrt by default:
- salsa2012+gmac
- salsa2012+umac
- null+salsa2012+gmac
- null+salsa2012+umac
- null
Of these, the GMAC-based methods may be dropped in the future to further reduce the binary size, as UMAC is the superior authentication scheme (it is faster than GMAC, provably secure and its software implementation isn’t suspect to timing side channels).
List of methods¶
Encrypted methods¶
Method | Method provider | Cipher | MAC | Notes |
---|---|---|---|---|
aes128-gcm | generic-gmac | aes128-ctr | ghash | [2] |
salsa20+gmac | generic-gmac | salsa20 | ghash | |
salsa2012+gmac | generic-gmac | salsa2012 | ghash | |
aes128-ctr+umac | generic-umac | aes128-ctr | uhash | [2] |
salsa20+umac | generic-umac | salsa20 | uhash | |
salsa2012+umac | generic-umac | salsa2012 | uhash | |
aes128-ctr+poly1305 | generic-poly1305 | aes128-ctr | none [1] | [2], [3] |
salsa20+poly1305 | generic-poly1305 | salsa20 | none [1] | [3] |
salsa2012+poly1305 | generic-poly1305 | salsa2012 | none [1] | [3] |
This list is not exhaustive. It is possible to combine different ciphers for data and authentication tag encryption using the composed-gmac and composed-umac method providers; these methods aren’t listed here as this is not very useful.
Authenticated-only methods¶
Method | Method provider | Cipher | MAC | Notes |
---|---|---|---|---|
null+aes128-gmac | composed-gmac | aes128-ctr | ghash | [2], [4] |
null+salsa20+gmac | composed-gmac | salsa20 | ghash | [4] |
null+salsa2012+gmac | composed-gmac | salsa2012 | ghash | [4] |
null+aes128-ctr+umac | composed-umac | aes128-ctr | uhash | [2], [4] |
null+salsa20+umac | composed-umac | salsa20 | uhash | [4] |
null+salsa2012+umac | composed-umac | salsa2012 | uhash | [4] |
Deprecated methods¶
Method | Method provider | Cipher | MAC | Notes |
---|---|---|---|---|
xsalsa20-poly1305 | xsalsa20-poly1305 | none | none | [6] |
Since fastd v11 salsa20+poly1305 should be used instead (or even better a more performant method like salsa2012+gmac); xsalsa20-poly1305 will be removed eventually.
[1] | (1, 2, 3) The MAC is integrated in the method provider. |
[2] | (1, 2, 3, 4, 5) AES is very slow without OpenSSL support. OpenSSL’s AES implementation may be suspect to cache timing side channels when no hardware support like AES-NI is available. |
[3] | (1, 2, 3) Poly1305 is very slow on embedded systems. |
[4] | (1, 2, 3, 4, 5, 6) The cipher is used to encrypt the authentication tag only, the actual data is transmitted unencrypted. |
[5] | Only authentication of peers’ IP addresses, but no encryption or authentication of any data is provided. |
[6] | Both the cipher and the MAC are integrated in the method provider. |