What is the most secure SSH cipher to use with OpenSSH?

The most secure and recommended cipher is aes256-gcm@openssh.com. It provides authenticated encryption with high performance, resistance to padding oracle attacks, and support for AES-NI hardware acceleration.

Why is chacha20-poly1305 a good alternative?

Chacha20-Poly1305 is a great alternative on systems without AES hardware acceleration. It provides authenticated encryption, high speed on mobile/low-power devices, and strong cryptographic security.

Is AES256-CBC safe to use?

AES256-CBC is not recommended due to its susceptibility to padding oracle attacks. Modern AEAD modes like GCM or ChaCha20 are preferred for secure SSH communications.

How can I check supported SSH MACs and ciphers?

You can run the command `sshd -T | grep macs` to list supported MAC algorithms. Supported ciphers are listed in the OpenSSH configuration or via `man sshd_config`.

What is serpent256-cbc and when should I use it?

Serpent256-CBC is a high-security block cipher, rarely used due to performance costs and lack of default support. It's only recommended in 'paranoid' configurations requiring maximum cryptographic assurance.

HiddenSSH - Secure OpenSSH Hardening

Encryption ciphers

        How OpenSSH Works #1
    

        How OpenSSH Works #2
    

To Configure:

nano /etc/ssh/sshd_config


# Encryption
# ----------
# The command "sshd -T | grep macs" shows the supported MAC algorithms.
# aes256-cbc uses AES in cipher-block chaining (CBC) mode, which can be vulnerable.
# aes256-gcm@openssh.com provides both encryption and authentication.
# twofish256-ctr is a good option but not widely supported.
# chacha20-poly1305@openssh.com is faster than AES, especially without AES-NI.
# Run /proc/cpuinfo to check the flags.
# Use aes256-ctr if things break.
Ciphers aes256-gcm@openssh.com

Best Choice: AES256-GCM@openssh.com

✅ **Recommended First Choice** – Supported out of the box with OpenSSH.

AES256-GCM@openssh.com

🔹 **Authenticated Encryption (AEAD):** Combines **encryption + integrity protection**, preventing tampering and ensuring secure communications.
🔹 **Resistant to Padding Oracle Attacks:** Unlike CBC-based modes, **GCM eliminates padding vulnerabilities**.
🔹 **High Performance:** **Supports parallel processing**, making it faster than traditional block ciphers.
🔹 **Optimized for Modern Hardware:** Uses **AES-NI acceleration**, reducing CPU load while improving security.
🔹 **Trusted & Standardized:** Used in government, enterprise, and modern cryptographic implementations.

🔗 Alternative Secure Choices:
✅ **Chacha20-Poly1305@openssh.com** (Faster on non-AES hardware, ideal for mobile/low-power devices)
✅ **AES128-GCM@openssh.com** (Lower overhead but still secure if AES256 is too resource-intensive)

Paranoid Mode: serpent256-cbc

Provides **high-security encryption** but requires **significant configuration** and may impact performance. Serpent256-CBC is known for its strong encryption design, but its use in modern systems is limited due to its computational overhead.

**Why Serpent?** 🔐
✅ **Highly Secure:** Serpent256-CBC was one of the AES competition finalists, designed for strong cryptographic protection.
✅ **Resistant to Cryptanalysis:** Unlike AES, Serpent uses **32 rounds of encryption**, making brute-force and differential cryptanalysis significantly harder.
✅ **No Known Backdoors:** Unlike AES, where theoretical concerns exist about possible **NSA involvement**, Serpent remains mathematically unbroken.

**Why Not Serpent?** ⚠️
🔻 **Performance Trade-off:** Serpent is significantly **slower than AES** in software implementations, making it impractical for real-time encryption needs.
🔻 **Limited Hardware Support:** Unlike AES, Serpent lacks widespread hardware acceleration, increasing CPU load.
🔻 **Compatibility Issues:** Not natively supported in most modern OpenSSH builds, requiring **custom OpenSSL builds** or patches.

🔗 Alternative Secure Ciphers:
✅ Twofish256-CBC (Balanced security & performance)
✅ Serpent-CBC (For extreme security needs)

Good choice: aes256-ctr

Supported directly out of the box.

aes256-ctr
aes256-cbc (⚠️ Vulnerable to attacks: If ciphertext integrity is not verified via MAC "Message Authentication Code", attackers can exploit padding errors to decrypt or manipulate data without knowing the encryption key. This is a common issue in unauthenticated AES-CBC implementations.)

Fastest: aes128-gcm@openssh.com

Best choice when optimizing resources is needed, e.g., large file transfers.

To ensure optimal performance when transferring large files over SCP, it's important to consider the use of accelerators. Accelerators are components designed to speed up specific operations by offloading them from the main CPU. These components can be either hardware or software-based.

One example of a hardware accelerator that was commonly used in the past is the 3DES accelerator. 3DES is a symmetric-key encryption algorithm that was widely supported by hardware accelerators in the early days of SSH and SCP. The algorithm has since been superseded by the Advanced Encryption Standard (AES), which provides stronger security and is supported by modern CPUs through the AES instruction set.

Recommended Ciphers:
🔹 aes128-gcm@openssh.com ✅ (Fastest & Secure)
🔹 chacha20-poly1305@openssh.com ✅ (Lightweight Alternative)
⚠️ Warning:
🔻 aes128-cbc ❌ (Vulnerable to attacks: If ciphertext integrity is not verified via MAC "Message Authentication Code", attackers can exploit padding errors to decrypt or manipulate data without knowing the encryption key. This is a common issue in unauthenticated AES-CBC implementations.)

Other:

Miscellaneous ciphers that are available but may have security concerns.

⚠️ Vulnerable Ciphers:
🔻 twofish128-cbc ❌ (Vulnerable if ciphertext integrity is not verified via MAC)
🔻 serpent192-cbc ❌ (Vulnerable if ciphertext integrity is not verified via MAC)
🔻 serpent128-cbc ❌ (Vulnerable if ciphertext integrity is not verified via MAC)
🔻 blowfish-cbc ❌ (Vulnerable if ciphertext integrity is not verified via MAC)
🔻 cast128-cbc ❌ (Vulnerable if ciphertext integrity is not verified via MAC)
⚠️ Weak Ciphers (Avoid Using If Possible):
🔹 arcfour256 ⚠️ (Considered weak, avoid if possible)
🔹 arcfour128 ⚠️ (Considered weak, avoid if possible)

Vulnerable Ciphers - DO NOT USE:

❌ These ciphers are considered highly vulnerable and should never be used in secure environments.

⚠️ 3DES-CBC ❌ (Insecure & Deprecated)
🔻 Meet-in-the-Middle Attack: This vulnerability reduces brute-force complexity, allowing attackers to efficiently recover encryption keys.
🔻 Slow & Outdated: 3DES requires multiple encryption passes, making it slower and still weaker than modern ciphers.
🔻 Deprecated in OpenSSH: Officially removed from OpenSSH due to security risks.

❗ What Should You Use Instead?
✅ **aes256-gcm@openssh.com** (Recommended for security & performance)
✅ **chacha20-poly1305@openssh.com** (Efficient & secure, especially on resource-limited devices)