SHA-1 practical recommendations?
Mark D. Baushke
mdb at juniper.net
Thu Mar 11 10:10:14 AEDT 2021
James Ralston <ralston at pobox.com> writes:
> As others have mentioned, there is guidance about this in
> draft-ietf-curdle-ssh-kex-sha2:
>
> https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/
>
> In summary, of these SHA-1 KexAlgorithms:
>
> * diffie-hellman-group1-sha1
> * diffie-hellman-group14-sha1
> * diffie-hellman-group-exchange-sha1
>
> and these SHA-1 GSSAPIKexAlgorithms:
>
> * gss-gex-sha1-
> * gss-group1-sha1-
> * gss-group14-sha1-
>
> …if it is necessary to enable one of them for backward compatibility
> with clients/servers that support only SHA-1 algorithms, then this is
> the only one that should be enabled:
>
> * diffie-hellman-group14-sha1 (for KexAlgorithms)
> * gss-group14-sha1- (for GSSAPIKexAlgorithms)
>
> …because of the three, only group14-sha1 is using a 2048-bit MODP
> group. So if one must be enabled, it is the least-bad one to enable.
>
> This reasoning was explained in a previous version of the kex draft:
>
> https://tools.ietf.org/id/draft-ietf-curdle-ssh-kex-sha2-11.html
>
> Unfortunately, the explanation in the current version of the draft is
> arguably less clear.
Yup, a reviewer did not like my explaination and asked me to remove it.
group14 provides for 112 bits of security strength.
sha1 provides a nominal 80 bits of security strength, but due to the
current compromises, it may be as weak as only 64 bits of security
strength.
So,the *group14-sha1* has security strength MIN(112, 64) == ~64 bits of
security strength.
When trying to use this with 3des-cbc which has a nominal 112 bits of
security, but weaknesses associated with a small block size, the
security strength may be less secure than 112 bits.
That said, the shared key generated by the key exchange will not really
have enough security strength for most users.
Realistically, to provide for 128 bits of security strength
for symmetric Ciphers:
aes128-ctr,
aes128-cbc,
aes128-gcm at openssh.com
AEAD_AES_128_GCM
which all have symmetric keys of ~128 bits of security strength, one may
use any of these key exchanges:
curve25519-sha256
curve448-sha512
diffie-hellman-group-exchange-sha256
diffie-hellman-group15-sha512
diffie-hellman-group16-sha512
diffie-hellman-group17-sha512
diffie-hellman-group18-sha512
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
gss-curve25519-sha256-*
gss-curve448-sha512-*
gss-group15-sha512-*
gss-group16-sha512-*
gss-group17-sha512-*
gss-group18-sha512-*
security strength and work fine.
Be safe, stay healthy,
-- Mark
More information about the openssh-unix-dev
mailing list