openssh unix dev - Jan 2019 - Can we disable diffie-hellman-group14-sha1 by default?

e.g. can we make it throw warnings etc. rsa-sha2-256 and rsa-sha2-512
are fine, they use PSS.

On Sun, Jan 20, 2019 at 1:55 AM Yegor Ievlev <koops1997 at gmail.com>
wrote:
>
> Also can we do anything with ssh-rsa? It uses both SHA-1 and
> deprecated PKCS#1 padding. If it's used to sign certificates,
there's
> no additional protection of SHA-2 hashing before SHA-1 signature, it
> just signs the raw certificate.
>
> On Sat, Jan 19, 2019 at 11:32 PM Yegor Ievlev <koops1997 at
gmail.com> wrote:
> >
> > I'm not sure if collision resistance is required for DH key
> > derivation, but generally, SHA-1 is on its way out. If it's
possible
> > (if there's not a very large percentage of servers that do not
support
> > anything newer), it should be disabled.

Also, are DH groups sent by server signed in addition to server's
supported algorithms?

On Sun, Jan 20, 2019 at 2:12 AM Yegor Ievlev <koops1997 at gmail.com>
wrote:
>
> e.g. can we make it throw warnings etc. rsa-sha2-256 and rsa-sha2-512
> are fine, they use PSS.
>
> On Sun, Jan 20, 2019 at 1:55 AM Yegor Ievlev <koops1997 at gmail.com>
wrote:
> >
> > Also can we do anything with ssh-rsa? It uses both SHA-1 and
> > deprecated PKCS#1 padding. If it's used to sign certificates,
there's
> > no additional protection of SHA-2 hashing before SHA-1 signature, it
> > just signs the raw certificate.
> >
> > On Sat, Jan 19, 2019 at 11:32 PM Yegor Ievlev <koops1997 at
gmail.com> wrote:
> > >
> > > I'm not sure if collision resistance is required for DH key
> > > derivation, but generally, SHA-1 is on its way out. If it's
possible
> > > (if there's not a very large percentage of servers that do
not support
> > > anything newer), it should be disabled.

On Sun, 20 Jan 2019 at 12:21, Yegor Ievlev <koops1997 at gmail.com>
wrote:
> Also, are DH groups sent by server signed in addition to server's
> supported algorithms?
Yes.  From RFC4419 section 3:

"""
   The server responds with:

     byte    SSH_MSG_KEX_DH_GEX_REPLY
     string  server public host key and certificates (K_S)
     mpint   f
     string  signature of H

   The hash H is computed as the HASH hash of the concatenation of the
   following:
[...]
     string  I_S, the payload of the server's SSH_MSG_KEXINIT
[...]
     mpint   p, safe prime
     mpint   g, generator for subgroup
"""

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Yegor Ievlev <koops1997 at gmail.com> writes:
> e.g. can we make it throw warnings etc. rsa-sha2-256 and rsa-sha2-512
> are fine, they use PSS.
I suggest you re-read RFC 8332 section 5.3 as they do NOT use PSS, they
use RSASSA-PKCS1-v1_5 signature padding.

| 5.3.  PKCS #1 v1.5 Padding and Signature Verification
| 
|    This document prescribes RSASSA-PKCS1-v1_5 signature padding because:
| 
|    (1)  RSASSA-PSS is not universally available to all implementations;
|    (2)  PKCS #1 v1.5 is widely supported in existing SSH
|         implementations;
|    (3)  PKCS #1 v1.5 is not known to be insecure for use in this scheme.
| 
|    Implementers are advised that a signature with RSASSA-PKCS1-v1_5
|    padding MUST NOT be verified by applying the RSA key to the
|    signature, and then parsing the output to extract the hash.  This may
|    give an attacker opportunities to exploit flaws in the parsing and
|    vary the encoding.  Verifiers MUST instead apply RSASSA-PKCS1-v1_5
|    padding to the expected hash, then compare the encoded bytes with the
|    output of the RSA operation.

	-- Mark