Can we disable diffie-hellman-group14-sha1 by default?
Mark D. Baushke
mdb at juniper.net
Mon Jan 21 04:58:40 AEDT 2019
Yegor Ievlev <koops1997 at gmail.com> writes:
> e.g. can we make it throw warnings etc. rsa-sha2-256 and rsa-sha2-512
> are fine, they use PSS.
I suggest you re-read RFC 8332 section 5.3 as they do NOT use PSS, they
use RSASSA-PKCS1-v1_5 signature padding.
| 5.3. PKCS #1 v1.5 Padding and Signature Verification
|
| This document prescribes RSASSA-PKCS1-v1_5 signature padding because:
|
| (1) RSASSA-PSS is not universally available to all implementations;
| (2) PKCS #1 v1.5 is widely supported in existing SSH
| implementations;
| (3) PKCS #1 v1.5 is not known to be insecure for use in this scheme.
|
| Implementers are advised that a signature with RSASSA-PKCS1-v1_5
| padding MUST NOT be verified by applying the RSA key to the
| signature, and then parsing the output to extract the hash. This may
| give an attacker opportunities to exploit flaws in the parsing and
| vary the encoding. Verifiers MUST instead apply RSASSA-PKCS1-v1_5
| padding to the expected hash, then compare the encoded bytes with the
| output of the RSA operation.
-- Mark
More information about the openssh-unix-dev
mailing list