max rsa key length, sym. cipher and digest recommendations ?

Guus Sliepen guus at tinc-vpn.org
Tue Jan 7 11:18:10 CET 2014 

On Tue, Jan 07, 2014 at 10:45:04AM +0100, Phooraalai wrote:

> I understand that I can use the openssl ciphers and digests available on
> my systems, i.e. those in the list generated by "openssl
> list-cipher-commands" and "openssl list-message-digest-algorithms".

That is correct.

> I want to create a admin vpn network between my servers and my
> workplace. Network throughput is not a big issue, I am using ssh and the
> cli, however I would also do incremental rsync backups over this vpn.
> 
> What are the recommendations for rsa key lengths, the cipher and the
> digest algo ?

The default values are already pretty good (2048 bits RSA keys, Blowfish-CBC,
and SHA1).

> Blowfish as the symmetric cipher seems ok to me. Would aes-256-cbc
> benefit from the aes acceleration in modern cpus ?
> 
> Would cipher=aes-256-cbc work in my host configuration files ?

Yes, that would work.

> The documentation ( man 5 tinc.conf ) says that sha1 is the default
> digest. What about using sha512? Any huge performance penalty that I
> would have to know about ?
> 
> Would digest=sha512 work in my host configuration files ?

That would work, but SHA512 is twice as slow as SHA1. If you are using the AES
cipher on a CPU which accelerates AES, then the digest algorithm will be the
largest consumer of CPU time, so if you don't want to lose the benefit of AES
you should stick to SHA1.

> What is the max rsa key length supported by tinc when running tincd -n
> NETNAME -KXXXX to generate the asym. rsa key? 4096, 8192, 16384 ?

Any length up to 8192 bits is supported by tinc. You also don't have to use
powers of two, for example you can also use 6000 bits keys.

> Is there somewhere a write up of the steps to build my own .deb packages
> for debian wheezy and ubuntu 12.04 ?

The easiest way is to run "apt-get source tinc" to get the source of the tinc
package, then to make any modifications you want, and then run "debuild"
(debuild is part of the devscripts package).

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20140107/bc2a35e3/attachment.sig>

More information about the tinc mailing list