Strange crypto choices

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



The defaults for HostKeyAlgorithms option are:

ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,
ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,
ssh-ed25519-cert-v01@xxxxxxxxxxx,
ssh-rsa-cert-v01@xxxxxxxxxxx,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
ssh-ed25519,ssh-rsa

Why does OpenSSH prefer older and less secure
(https://safecurves.cr.yp.to/) ECDSA with NIST curves over Ed25519?
Also why are smaller key, curve and hash sizes preferred over bigger
ones?

The default ciphers are:

chacha20-poly1305@xxxxxxxxxxx,
aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx


Why is CTR mode preferred over GCM? Usually, AEAD ciphers are
preferred over non-AEAD ones.

The default MACs are:

umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,
hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
hmac-sha1-etm@xxxxxxxxxxx,
umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,
hmac-sha2-256,hmac-sha2-512,hmac-sha1

Why is UMAC preferred over HMAC? UMAC is less widely known and does
not have as much research done on its security as HMAC.

Also, in ssh-rsa-cert-v01@xxxxxxxxxxx case the certificate is signed
using SHA-1, allowing the certificate signature to be forged. In
ssh-rsa case the attack is mitigated because the data is hashed with
SHA-256 before being signed. I suggest disabling this method by
default.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux