SSH: Discontinue use of CBC
Closed this issue · 0 comments
egberts commented
During the encryption part of server algorithm negotiation, CBC is to be avoided: use GCM or CTR.
The main difference between GCM and CTR is that GCM also provides authentication and integrity protection while CTR only provides confidentiality.
WARNING: AES-GCM has a limit to the size of data (~60GB) that it can encrypt before the counter cycles. But GCM and others may work fine.
No recommendation yet on GCM/CTR choice.
Reference
https://web.archive.org/web/20230000000000*/https://www.isg.rhul.ac.uk/~kp/surfeit.pdf