Strange crypto choices
Yegor Ievlev
koops1997 at gmail.com
Fri May 25 23:00:18 AEST 2018
The defaults for HostKeyAlgorithms option are:
ecdsa-sha2-nistp256-cert-v01 at openssh.com,
ecdsa-sha2-nistp384-cert-v01 at openssh.com,
ecdsa-sha2-nistp521-cert-v01 at openssh.com,
ssh-ed25519-cert-v01 at openssh.com,
ssh-rsa-cert-v01 at openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
ssh-ed25519,ssh-rsa
Why does OpenSSH prefer older and less secure
(https://safecurves.cr.yp.to/) ECDSA with NIST curves over Ed25519?
Also why are smaller key, curve and hash sizes preferred over bigger
ones?
The default ciphers are:
chacha20-poly1305 at openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm at openssh.com,aes256-gcm at openssh.com
Why is CTR mode preferred over GCM? Usually, AEAD ciphers are
preferred over non-AEAD ones.
The default MACs are:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,
hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
hmac-sha1-etm at openssh.com,
umac-64 at openssh.com,umac-128 at openssh.com,
hmac-sha2-256,hmac-sha2-512,hmac-sha1
Why is UMAC preferred over HMAC? UMAC is less widely known and does
not have as much research done on its security as HMAC.
Also, in ssh-rsa-cert-v01 at openssh.com case the certificate is signed
using SHA-1, allowing the certificate signature to be forged. In
ssh-rsa case the attack is mitigated because the data is hashed with
SHA-256 before being signed. I suggest disabling this method by
default.
More information about the openssh-unix-dev
mailing list