thr3ads.net - openssh bugs - [Bug 1580] New: [PATCH] HMAC should use sha1 instead of md5 by default [Mar 2009]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.mindrot.org

2009-Mar-30 05:40 UTC

[Bug 1580] New: [PATCH] HMAC should use sha1 instead of md5 by default

https://bugzilla.mindrot.org/show_bug.cgi?id=1580

           Summary: [PATCH] HMAC should use sha1 instead of md5 by default
           Product: Portable OpenSSH
           Version: 5.2p1
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: daniel.subs at internode.on.net


Created an attachment (id=1619)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1619)
openssh-hmac-sha1-prefered-cvs.patch

Both ssh and sshd  should use sha1 in preference to md5. This is
currently not the case. It would be nicer for sha1 to be the default,
even if it just stops the audit people from saying 'bad bad - using
that flawed md5'.

I acknowledge that the control is totally in the ssh client end however
reordering both isn't that hard.

patch attached performs this function.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2009-Mar-30 06:00 UTC

head link

[Bug 1580] [PATCH] HMAC should use sha1 instead of md5 by default

https://bugzilla.mindrot.org/show_bug.cgi?id=1580


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org




--- Comment #1 from Damien Miller <djm at mindrot.org>  2009-03-30
17:00:37 ---
I don't think there is any strong reason to switch from HMAC-MD5 yet;
HMAC-MD5 is not affected by the recent-ish MD5 bugs and SSH's use of
the MAC would much more difficult to exploit still (there is no
length-extension that can be performed). See
http://www.ietf.org/mail-archive/web/cfrg/current/msg01196.html for an
opinion by a real cryptographer. 

If we do change, it will probably be to umac-64 at openssh.com as first
preference MAC, and that will be as much for performance reasons as
anything else.

(Please note: "appeasing clueless auditors" is not a reason we will
ever respond to).

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2009-Mar-30 06:43 UTC

head link

[Bug 1580] [PATCH] HMAC should use sha1 instead of md5 by default

https://bugzilla.mindrot.org/show_bug.cgi?id=1580





--- Comment #2 from Daniel Black <daniel.subs at internode.on.net> 
2009-03-30 17:43:25 ---
(In reply to comment #1)> I don't think there is any strong reason to switch from HMAC-MD5 yet;
> http://www.ietf.org/mail-archive/web/cfrg/current/msg01196.htmlnice article - thanks
> umac-64 at openssh.com ok.
> (Please note: "appeasing clueless auditors" is not a reason we
will
> ever respond to).acknowledged. Sorry for mentioning it. won't happen again.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2009-Jul-31 00:47 UTC

head link

[Bug 1580] [PATCH] HMAC should use sha1 instead of md5 by default

https://bugzilla.mindrot.org/show_bug.cgi?id=1580


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX




--- Comment #3 from Damien Miller <djm at mindrot.org>  2009-07-31
10:47:25 ---
oops, forgot to close this at the time.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2009-Oct-06 04:01 UTC

head link

[Bug 1580] [PATCH] HMAC should use sha1 instead of md5 by default

https://bugzilla.mindrot.org/show_bug.cgi?id=1580

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> 2009-10-06 15:01:54
EST ---
Mass move of RESOLVED bugs to CLOSED now that 5.3 is out.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

Reasonably Related Threads

Search for more possibly parallel threads

openssh bugs - Mar 2009 - [Bug 1580] New: [PATCH] HMAC should use sha1 instead of md5 by default

[Bug 1580] New: [PATCH] HMAC should use sha1 instead of md5 by default

[Bug 1580] [PATCH] HMAC should use sha1 instead of md5 by default

[Bug 1580] [PATCH] HMAC should use sha1 instead of md5 by default

[Bug 1580] [PATCH] HMAC should use sha1 instead of md5 by default

[Bug 1580] [PATCH] HMAC should use sha1 instead of md5 by default

Reasonably Related Threads