Hello Atsuhiko,
this is great news! Especially hearing that SFTP
performance can be improved by simply changing
the cipher is very interesting.
I guess the only thing I don't quite understand
is the way you want to handle the default settings.
My understanding is that the default setting should
* Allow most clients to simply work the best way they
can, without any additional configuration
* Do so even if it slightly compromises security or
wastes CPU time
* Allow clients that do not do special configuration
to benefit from new features as they upgrade
In other words, I think the default configuration should
"just work" and whoever wants to optimize it in his
application in order to be more secure, or not waste
CPU cycles, should do special config.
Based on these thoughts, I'd think that the default
values should be as follows:
"ciphers.s2c" "aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc"
"ciphers.c2s" "aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc"
"CheckCiphers" "aes256-cbc,aes192-cbc,aes128-cbc"
This will enable maximum compatibility, and maximal
speed (by using aes128 as first try) at the cost
of running the checks for availability by default.
Clients who know they only want a particular well-known set
of ciphers (for whatever reason), they can manually configure
ciphers.s2c to their favorite ciphers. Such clients will
only get those ciphers forever, even if Jsch is upgraded
to provide more ciphers in the future.
I think the problem if it's not the way I'm proposing is,
that if I write my application today and I want to make
use of aes192-cbc and aes256-cbc, I need to manually
override the config today; but if I do so, my application
cannot benefit from future addition of ciphers, because
I'm manually overriding the config already.
What do you think about this?
Cheers,
--
Martin Oberhuber
Wind River Systems, Inc.
Target Management Project Lead, DSDP PMC Member
http://www.eclipse.org/dsdp/tm
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf
> Of Atsuhiko Yamanaka
> Sent: Friday, August 10, 2007 4:39 AM
> To: jsch-users@lists.sourceforge.net
> Subject: Re: [JSch-users] AES ciphers on Jsch (was: JSch on
> Vmware ESX 3.0)
>
> Hi,
>
> +-From: [EMAIL PROTECTED] (Atsuhiko Yamanaka) --
> |_Date: Fri, 3 Aug 2007 10:50:44 +0900 _______
> |
> |If you and others have strong and reasonable counter arguments or
> |suggestions, it may be checked in jsch.
>
> After investigations on these days, I have decided to enable
> AES cipher
> in the next release if it is available. It seems AES is
> lighter that 3des
> and it will be worth waisting CPU time to check its availability.
> For example, I have founded that sftp transfer rates will
> been increased
> by just switching from 3des-cbc to aes128-cbc.
>
> The next version will have the property "CheckCiphers" and
> you can check
> ciphers as follows,
>
> java.util.Hashtable config=new java.util.Hashtable();
> config.put("cipher.s2c", // ciphers for the downward stream
>
> "aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc");
> config.put("cipher.c2s", // ciphers for the upward stream
>
> "aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc");
> config.put("CheckCiphers", "aes256-cbc,aes192-cbc,aes128-cbc");
> session.setConfig(config);
>
> If some of ciphers specified by "CheckCiphers" are not available,
> they will be stripped from "cipher.s2c" and "cipher.c2s".
>
> The default value for those properties in the next release
> will be as follows,
>
> config.put("cipher.s2c", "aes128-cbc,3des-cbc,blowfish-cbc");
> config.put("cipher.c2s", "aes128-cbc,3des-cbc,blowfish-cbc");
> config.put("CheckCiphers", "aes128-cbc");
>
> So, just updating jsch version, "aes128-cbc" will be chosen
> if AES 128-bit key is available.
>
> If you have confirmed the availability of AES support on your
> environment
> and you want to skip such a check, you need to re-set
> "CheckCiphers" as
> follows,
>
> config.put("CheckCiphers", "");
>
> FYI, it seems that the GCJ included in Fedora has supported
> AES 256-bit key,
> because it has been using BouncyCastle's JCE provider.
>
>
> Sincerely,
> --
> Atsuhiko Yamanaka
> JCraft,Inc.
> 1-14-20 HONCHO AOBA-KU,
> SENDAI, MIYAGI 980-0014 Japan.
> Tel +81-22-723-2150
> +1-415-578-3454
> Fax +81-22-224-8773
> Skype callto://jcraft/
>
> --------------------------------------------------------------
> -----------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and
> a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> JSch-users mailing list
> JSch-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/jsch-users
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
JSch-users mailing list
JSch-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jsch-users
