Re: hmac-ripemd160 not in PROTOCOL

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Sat, Nov 7, 2015 at 8:02 PM, Max Horn <max@xxxxxxxxx> wrote:
>> On 07.11.2015, at 04:43, Darren Tucker <dtucker@xxxxxxxxxx> wrote:
[...]
>> I suspect the @openssh one was before ripemd was added to the (at the
>> time in draft) standards, and the new name was added once it was.
>
> Ahhh, I am sorry, I should have lead with this: To the best of my knowledge,
> hmac-ripemd160 occurs nowhere in the SSH specification, and is an OpenSSH
> extension. Hence, I am surprised to see "hmac-ripemd160" in the mac list,
> without the @openssh.com, and was wondering about the story behind it...
>
> But I am happy to learn I am wrong, though then I'd also like to learn which
> standard you are referring to?

I was referring to RFC4253 et al, but only assumed it was there
because of the lack of @openssh suffix on the MAC name, not because I
had gone looking for it.  Having just done so I agree that it's not
there!  I also can't find it in any of the internet-draft specs.

While trying to figure this out, I found the following interesting things:
Markus' early comment on OpenSSH protocol 2 support mentions hmac-ripemd160:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2000-April/001175.html

This manual for the ssh.com software dated 2003 lists hmac-ripemd160
as a supported MAC.
http://www.hiz-saarland.de/doku/ssh/ssh2unix_adminguide32.pdf

The snail book says "OpenSSH also implements a nonstandard MAC
algorithm, hmac-ripemd160@xxxxxxxxxxx.  The name hmac-ripemd160 is
also recognised without the @openssh.com suffix, but this is
deprecated, since all nonstandard names are supposed to use a domain
suffix."

Since this was before Portable pulled synced individual commits, I
went back to the OpenBSD tree.
hmac-ripemd160@openssh appeared in a commit from Markus on 2000-04-03
with the description "DSA, keyexchange, algorithm agreement for ssh2".
hmac-ripemd160 without the suffix first appeared in a commit by Markus
on 2001-02-11 (http://www.dtucker.net/openssh/patches/openssh-ripemd160.patch)
with this description:
1) clean up the MAC support for SSH-2
2) allow you to specify the MAC with 'ssh -m'
3) or the 'MACs' keyword in ssh(d)_config
4) add hmac-{md5,sha1}-96
        ok stevesk@, provos@

In summary, I have no idea why it ended up the way it did.  Maybe
Markus can recall?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux