SHA-1 practical recommendations?

Mark D. Baushke mdb at juniper.net
Thu Mar 11 10:10:14 AEDT 2021


James Ralston <ralston at pobox.com> writes:

> As others have mentioned, there is guidance about this in
> draft-ietf-curdle-ssh-kex-sha2:
> 
> https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/
> 
> In summary, of these SHA-1 KexAlgorithms:
> 
> * diffie-hellman-group1-sha1
> * diffie-hellman-group14-sha1
> * diffie-hellman-group-exchange-sha1
> 
> and these SHA-1 GSSAPIKexAlgorithms:
> 
> * gss-gex-sha1-
> * gss-group1-sha1-
> * gss-group14-sha1-
> 
> …if it is necessary to enable one of them for backward compatibility
> with clients/servers that support only SHA-1 algorithms, then this is
> the only one that should be enabled:
> 
> * diffie-hellman-group14-sha1 (for KexAlgorithms)
> * gss-group14-sha1- (for GSSAPIKexAlgorithms)
> 
> …because of the three, only group14-sha1 is using a 2048-bit MODP
> group.  So if one must be enabled, it is the least-bad one to enable.
> 
> This reasoning was explained in a previous version of the kex draft:
> 
> https://tools.ietf.org/id/draft-ietf-curdle-ssh-kex-sha2-11.html
> 
> Unfortunately, the explanation in the current version of the draft is
> arguably less clear.

Yup, a reviewer did not like my explaination and asked me to remove it.

  group14 provides for 112 bits of security strength.

  sha1 provides a nominal 80 bits of security strength, but due to the
  current compromises, it may be as weak as only 64 bits of security
  strength.

So,the *group14-sha1* has security strength MIN(112, 64) == ~64 bits of
security strength.

When trying to use this with 3des-cbc which has a nominal 112 bits of
security, but weaknesses associated with a small block size, the
security strength may be less secure than 112 bits.

That said, the shared key generated by the key exchange will not really
have enough security strength for most users.

Realistically, to provide for 128 bits of security strength
for symmetric Ciphers:

   aes128-ctr,
   aes128-cbc,
   aes128-gcm at openssh.com
   AEAD_AES_128_GCM

which all have symmetric keys of ~128 bits of security strength, one may
use any of these key exchanges:

   curve25519-sha256
   curve448-sha512
   diffie-hellman-group-exchange-sha256   
   diffie-hellman-group15-sha512
   diffie-hellman-group16-sha512
   diffie-hellman-group17-sha512
   diffie-hellman-group18-sha512
   ecdh-sha2-nistp256
   ecdh-sha2-nistp384
   ecdh-sha2-nistp521
   gss-curve25519-sha256-*
   gss-curve448-sha512-*
   gss-group15-sha512-*
   gss-group16-sha512-*
   gss-group17-sha512-*
   gss-group18-sha512-*

security strength and work fine.

	Be safe, stay healthy,
	-- Mark


More information about the openssh-unix-dev mailing list