Re: Can we disable diffie-hellman-group14-sha1 by default?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Sat, 19 Jan 2019, Yegor Ievlev wrote:

> I'm not sure if collision resistance is required for DH key
> derivation, but generally, SHA-1 is on its way out. If it's possible
> (if there's not a very large percentage of servers that do not support
> anything newer), it should be disabled.

No, SHA1 is used as a PRF for key derivation so collision-resistance
is not needed.

Yes, a large number of devices only support this curve - it's the only
remaining MUST curve from the original RFCs that we enable by default.

It's the last preference on the client, and the KEX isn't subject to
MITM downgrade attacks unless the hostkey signature algorithm is broken,
so keeping it there doesn't affect the security of connections to
servers that support better KEX algorithms.

For these reasons we're keeping it. Feel free to adjust your own configs -
it's easy: "KexAlgorithms=-diffie-hellman-group14-sha1"

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux