disable sha1-based key exchanges

[bkw]

Following the very interesting post https://stribika.github.io/2015/01/04/secure-secure-shell.html by @stribika I think it would make sense to at least offer an option to disable sha1-based key exchanges on systems that support better ones.

What do you think?

[chris-rock]

@bkw will study this in-depth

[stribika]

Having a strong hash there is what prevents downgrade attacks. The KDF at the end of the key exchange doesn't only take s as input, but also the supported list of algorithms and the basically arbitrary banners. That overview I included is... let's call it simplified.

If you try to downgrade, Alice will end up calculating
k = KDF(s || algo_list_alice || algo_list_nsa1 || banner_alice || banner_nsa1)
while Bob will calculate
k = KDF(s || algo_list_nsa2 || algo_list_bob || banner_nsa2 || banner_bob)
and end up with different keys.

Unless we are using a sufficiently broken hash. In that case, banner_nsa can be used to synchronize k again.

[atomic111]

yes, this is a good point, but it should be configurable.

2015-01-07 18:48 GMT+01:00 Bernhard Weisshuhn (a.k.a. bernhorst) <
notifications@github.com>:

Following the very interesting post
https://stribika.github.io/2015/01/04/secure-secure-shell.html by
@stribika https://github.com/stribika I think it would make sense to at
least offer an option to disable sha1-based key exchanges on systems that
support better ones.

What do you think?

—
Reply to this email directly or view it on GitHub
#64.

[arlimus]

@bkw Thanks again for bringing this up :)
@stribika Thank you for your insights!

We'll add it to code this week.

[arlimus]

inclued in chef-ssh-hardening v1.0.3