James Ralston <ralston@xxxxxxxxx> writes: > As others have mentioned, there is guidance about this in > draft-ietf-curdle-ssh-kex-sha2: > > https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/ > > In summary, of these SHA-1 KexAlgorithms: > > * diffie-hellman-group1-sha1 > * diffie-hellman-group14-sha1 > * diffie-hellman-group-exchange-sha1 > > and these SHA-1 GSSAPIKexAlgorithms: > > * gss-gex-sha1- > * gss-group1-sha1- > * gss-group14-sha1- > > …if it is necessary to enable one of them for backward compatibility > with clients/servers that support only SHA-1 algorithms, then this is > the only one that should be enabled: > > * diffie-hellman-group14-sha1 (for KexAlgorithms) > * gss-group14-sha1- (for GSSAPIKexAlgorithms) > > …because of the three, only group14-sha1 is using a 2048-bit MODP > group. So if one must be enabled, it is the least-bad one to enable. > > This reasoning was explained in a previous version of the kex draft: > > https://tools.ietf.org/id/draft-ietf-curdle-ssh-kex-sha2-11.html > > Unfortunately, the explanation in the current version of the draft is > arguably less clear. Yup, a reviewer did not like my explaination and asked me to remove it. group14 provides for 112 bits of security strength. sha1 provides a nominal 80 bits of security strength, but due to the current compromises, it may be as weak as only 64 bits of security strength. So,the *group14-sha1* has security strength MIN(112, 64) == ~64 bits of security strength. When trying to use this with 3des-cbc which has a nominal 112 bits of security, but weaknesses associated with a small block size, the security strength may be less secure than 112 bits. That said, the shared key generated by the key exchange will not really have enough security strength for most users. Realistically, to provide for 128 bits of security strength for symmetric Ciphers: aes128-ctr, aes128-cbc, aes128-gcm@xxxxxxxxxxx AEAD_AES_128_GCM which all have symmetric keys of ~128 bits of security strength, one may use any of these key exchanges: curve25519-sha256 curve448-sha512 diffie-hellman-group-exchange-sha256 diffie-hellman-group15-sha512 diffie-hellman-group16-sha512 diffie-hellman-group17-sha512 diffie-hellman-group18-sha512 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 gss-curve25519-sha256-* gss-curve448-sha512-* gss-group15-sha512-* gss-group16-sha512-* gss-group17-sha512-* gss-group18-sha512-* security strength and work fine. Be safe, stay healthy, -- Mark _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
