Supported Ciphers
ZestSSH supports the following symmetric encryption algorithms for the SSH transport layer. During the SSH handshake, the client and server negotiate the strongest mutually supported cipher.
Algorithms are listed in ZestSSH’s preference order (most preferred first).
AEAD Ciphers (Recommended)
Section titled “AEAD Ciphers (Recommended)”AEAD (Authenticated Encryption with Associated Data) ciphers provide both encryption and integrity protection in a single operation, eliminating the need for a separate MAC algorithm.
| Property | Value |
|---|---|
| Algorithm | ChaCha20 stream cipher + Poly1305 MAC |
| Key Size | 512 bits (two 256-bit keys) |
| Nonce | 8 bytes (derived from packet sequence number) |
| Tag Size | 16 bytes |
| Block Size | 8 bytes |
| AEAD | Yes |
The recommended cipher. Uses two separate 256-bit keys: one for encrypting the packet payload and one for encrypting the packet length separately. This is an OpenSSH extension that has become the de facto standard for modern SSH.
ChaCha20-Poly1305 is constant-time on all platforms and does not require hardware AES acceleration, making it consistently fast on mobile devices and ARM servers.
| Property | Value |
|---|---|
| Algorithm | AES-256 in Galois/Counter Mode |
| Key Size | 256 bits |
| IV Size | 12 bytes |
| Tag Size | 16 bytes |
| Block Size | 16 bytes |
| AEAD | Yes |
AES-256-GCM provides strong authenticated encryption. Performance is excellent on hardware with AES-NI instructions (most modern x86 processors). On ARM devices without hardware AES, ChaCha20 may be faster.
| Property | Value |
|---|---|
| Algorithm | AES-128 in Galois/Counter Mode |
| Key Size | 128 bits |
| IV Size | 12 bytes |
| Tag Size | 16 bytes |
| Block Size | 16 bytes |
| AEAD | Yes |
Same as AES-256-GCM but with a 128-bit key. Still considered secure for all practical purposes. Slightly faster than AES-256 due to fewer key expansion rounds.
CTR Mode Ciphers
Section titled “CTR Mode Ciphers”Counter mode ciphers provide encryption but require a separate MAC algorithm (typically HMAC-SHA2-256) for integrity protection.
aes128-ctr
Section titled “aes128-ctr”| Property | Value |
|---|---|
| Algorithm | AES-128 in Counter Mode |
| Key Size | 128 bits |
| IV Size | 16 bytes |
| Block Size | 16 bytes |
| AEAD | No |
Widely supported and secure. CTR mode turns AES into a stream cipher, avoiding the padding issues of CBC mode.
aes192-ctr
Section titled “aes192-ctr”| Property | Value |
|---|---|
| Algorithm | AES-192 in Counter Mode |
| Key Size | 192 bits |
| IV Size | 16 bytes |
| Block Size | 16 bytes |
| AEAD | No |
192-bit variant. Less commonly used than 128 or 256, but fully supported.
aes256-ctr
Section titled “aes256-ctr”| Property | Value |
|---|---|
| Algorithm | AES-256 in Counter Mode |
| Key Size | 256 bits |
| IV Size | 16 bytes |
| Block Size | 16 bytes |
| AEAD | No |
256-bit variant. Use when connecting to servers that do not support AEAD ciphers.
CBC Mode Ciphers (Legacy)
Section titled “CBC Mode Ciphers (Legacy)”CBC (Cipher Block Chaining) mode ciphers are supported for compatibility with older servers. CTR or AEAD ciphers are preferred when available.
aes128-cbc
Section titled “aes128-cbc”| Property | Value |
|---|---|
| Algorithm | AES-128 in Cipher Block Chaining Mode |
| Key Size | 128 bits |
| IV Size | 16 bytes |
| Block Size | 16 bytes |
| AEAD | No |
Legacy cipher. Vulnerable to the SSH CBC plaintext recovery attack (CVE-2008-5161) in theory, though exploitation in practice is difficult. Use CTR mode when possible.
aes192-cbc
Section titled “aes192-cbc”| Property | Value |
|---|---|
| Algorithm | AES-192 in Cipher Block Chaining Mode |
| Key Size | 192 bits |
| IV Size | 16 bytes |
| Block Size | 16 bytes |
| AEAD | No |
192-bit CBC variant. Same caveats as aes128-cbc.
aes256-cbc
Section titled “aes256-cbc”| Property | Value |
|---|---|
| Algorithm | AES-256 in Cipher Block Chaining Mode |
| Key Size | 256 bits |
| IV Size | 16 bytes |
| Block Size | 16 bytes |
| AEAD | No |
256-bit CBC variant. Same caveats as aes128-cbc.
Not Supported
Section titled “Not Supported”The following ciphers are intentionally not supported:
| Cipher | Reason |
|---|---|
3des-cbc | Insecure, small block size (64-bit), slow |
arcfour / arcfour128 / arcfour256 | RC4 is cryptographically broken |
blowfish-cbc | 64-bit block size, deprecated |
cast128-cbc | 64-bit block size, deprecated |
none | Disabling encryption entirely is a security risk |
Cipher Negotiation
Section titled “Cipher Negotiation”ZestSSH offers its supported ciphers to the server in the order listed above. The first cipher supported by both sides is selected. If you are having trouble connecting to a server, check which ciphers the server supports:
ssh -Q cipher # on the serverIf the server only supports legacy ciphers not in ZestSSH’s list (e.g. 3des-cbc), you will need to update the server’s SSH configuration to enable at least one modern cipher.