It’s been five years since the last OpenSSH ciphers performance benchmark. There are two fundamentally new things to consider, which also gave me the incentive to redo the tests:
- Since OpenSSH version 6.7 the default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. This has been adopted in Debian “Jessie”.
- Modern CPUs have hardware acceleration for AES encryption.
I tested five different platforms having CPUs with and without AES hardware acceleration, different OpenSSL versions, and running on different platforms including dedicated servers, OpenVZ and AWS.
Since the processing power of each platform is different, I had to choose a criteria to normalize results, in order to be able to compare them. This was a rather confusing decision, and I hope that my conclusion is right. I chose to normalize against the “arcfour*”, “blowfish-cbc”, and “3des-cbc” speeds, because I doubt it that their implementation changed over time. They should run equally fast on each platform because they don’t benefit from the AES acceleration, nor anyone bothered to make them faster, because those ciphers are meant to be marked as obsolete for a long time.
You can download the raw data as an Excel file. Here is the command which was run on each server:
# uses "/root/tmp/dd.txt" as a temporary file! for cipher in aes128-cbc aes128-ctr email@example.com aes192-cbc aes192-ctr aes256-cbc aes256-ctr firstname.lastname@example.org arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc email@example.com 3des-cbc ; do for i in 1 2 3 ; do echo echo "Cipher: $cipher (try $i)" dd if=/dev/zero bs=4M count=1024 2>/root/tmp/dd.txt | pv --size 4G | time -p ssh -c "$cipher" root@localhost 'cat > /dev/null' grep -v records /root/tmp/dd.txt done done
We can draw the following conclusions:
- Servers which run a newer CPU with AES hardware acceleration can enjoy the benefit of (1) a lot faster AES encryption using the recommended OpenSSH ciphers, and (2) some AES ciphers are now even two-times faster than the old speed champion, namely “arcfour”. I could get those great speeds only using OpenSSL 1.0.1f or newer, but this may need more testing.
- Servers having a CPU without AES hardware acceleration still get two-times faster AES encryption with the newest OpenSSH 6.7 using OpenSSL 1.0.1k, as tested on Debian “Jessie”. Maybe they optimized something in the library.
Test results may vary (a lot) depending on your hardware platform, Linux kernel, OpenSSH and OpenSSL versions.