Cipher and Algorithm Selection

2 min read Data Protection & Compliance

Cipher and Algorithm Selection

Choosing appropriate ciphers and algorithms balances security with compatibility and performance. Modern configurations should eliminate weak algorithms while maintaining interoperability with required systems.

Configure algorithm preferences based on security requirements:

# Ultra-secure configuration (may break compatibility)
# For servers handling sensitive data
Ciphers [email protected]
MACs [email protected]
KexAlgorithms [email protected]
HostKeyAlgorithms ssh-ed25519
PubkeyAcceptedKeyTypes ssh-ed25519

# Balanced security configuration
# Good security with broader compatibility
Ciphers [email protected],[email protected],[email protected],aes256-ctr
MACs [email protected],[email protected],[email protected]
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-512,rsa-sha2-256

# Compatibility mode for legacy systems
# Use only when absolutely necessary
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1
KexAlgorithms diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

Test cipher performance for your environment:

#!/bin/bash
# test_ssh_ciphers.sh - Benchmark SSH cipher performance

CIPHERS=(
    "[email protected]"
    "[email protected]"
    "[email protected]"
    "aes256-ctr"
    "aes128-ctr"
)

TEST_FILE="/tmp/test_file_1GB"
REMOTE_HOST="test-server.example.com"

# Create test file
dd if=/dev/urandom of="$TEST_FILE" bs=1M count=1024 2>/dev/null

echo "Testing SSH cipher performance..."
echo "================================"

for cipher in "${CIPHERS[@]}"; do
    echo -n "Testing $cipher: "
    
    # Time the transfer
    start_time=$(date +%s.%N)
    scp -c "$cipher" "$TEST_FILE" "$REMOTE_HOST:/tmp/" 2>/dev/null
    end_time=$(date +%s.%N)
    
    # Calculate transfer time
    duration=$(echo "$end_time - $start_time" | bc)
    speed=$(echo "scale=2; 1024 / $duration" | bc)
    
    echo "$speed MB/s (${duration}s)"
    
    # Cleanup remote file
    ssh "$REMOTE_HOST" "rm -f /tmp/$(basename $TEST_FILE)"
done

# Cleanup
rm -f "$TEST_FILE"