Please forgive if this is the wrong place... As a user of the excellent ssh and sshd I would like to see the next version of openssh contain support for the SHA-2 hashes (SHA-256, SHA-384, and SHA-512) as the SHA-1 hash is now known to be vulnerable to a 2^69 and possibly a 2^63 key-space search. As of version 0.98 openssl contained support for these hashes so it would be nice if openssh followed suit. I posted this request before on comp.security.ssh and was correctly told that by default sshd regenerates the key every 60 mins. But consider a server using SHA-1, and an attacker who wants the user/password, or a file being transfered, and captures the cipher data. While they cannot see your session in "real time" they still could capture the data and key-search the SHA-1 hash, making it easier to break the key. While I'm no crypto-expert, this does _NOT_ seem like a good thing(tm). Are there any plans to implement these hashes into openssh? TIA, David
On 10/14/05, David <shadoweyez at gmail.com> wrote:> Please forgive if this is the wrong place... > > As a user of the excellent ssh and sshd I would like to see the next > version of openssh contain support for the SHA-2 hashes (SHA-256, > SHA-384, and SHA-512) as the SHA-1 hash is now known to be vulnerable to > a 2^69 and possibly a 2^63 key-space search. As of version 0.98 openssl > contained support for these hashes so it would be nice if openssh > followed suit.There are several questions that would need to be answered: 1) Does the SSH spec allow for any algorithms other than SHA1? If it doesnt then the first place to work it through would be the IETF. [I do not know the answer myself..] 2) How long do you want your message to be secure? If you say forever... then you are best off not saying anything. If you say 100 years.. it would probably be best not to say anything. If you are looking for 10 years then does the search space time for 2^60 or more fit into that time frame. (Searching 2^30 (approx 1 billion keys) a second it would take 34 years to search for this. This doesnt take in account parrelization or other items). -- Stephen J Smoogen. CSIRT/Linux System Administrator
> Please forgive if this is the wrong place... > > As a user of the excellent ssh and sshd I would like to see the next > version of openssh contain support for the SHA-2 hashes (SHA-256, > SHA-384, and SHA-512) as the SHA-1 hash is now known to be vulnerable to > a 2^69 and possibly a 2^63 key-space search. As of version 0.98 openssl > contained support for these hashes so it would be nice if openssh > followed suit. > > I posted this request before on comp.security.ssh and was correctly told > that by default sshd regenerates the key every 60 mins. But consider a > server using SHA-1, and an attacker who wants the user/password, or a > file being transfered, and captures the cipher data. While they cannot > see your session in "real time" they still could capture the data and > key-search the SHA-1 hash, making it easier to break the key. > > While I'm no crypto-expert, this does _NOT_ seem like a good thing(tm). > Are there any plans to implement these hashes into openssh?Youare no crypto-expert, but as the SSH protocol uses these things as HMAC varients, none of the above makes any sense.