Re: SHA-2 based HMAC algorithm...

["denis bider \(Bitvise\)" <ietf-ssh2%denisbider.com@localhost>]

Joseph, everyone,

I have just attempted to implement:

hmac-sha256%ssh.com@localhost
hmac-sha256-96%ssh.com@localhost

I can summarize the current state of this algorithm in one word. Awful.

I tested our implementation with two others: the Tectia client, and 
MindTerm.

In both cases, I needed to use the command line (sftpg3 for Tectia) or 
edit the textual host settings file (for MindTerm) because the graphical 
user interface of both programs has not been updated to support the 
algorithm.

I first assumed that implementations would logically follow the SSH 
transport RFC precedent, and use a 32-byte key for HMAC-256, just like 
there's a 20-byte key for SHA-1, and a 16-byte key for MD5.

Not so. It turns out that the Tectia client implementation initializes 
the hmac-sha256%ssh.com@localhost algorithm with a 16-byte HMAC key. The MindTerm 
implementation, on the other hand, uses a 20-byte HMAC key.

So, there's just no way that you can be compatible with both 
implementations of this private algorithm without explicit compatibility 
hacks from the get-go.

I want to implement HMAC-SHA-256 support because clients have requested 
it. The @ssh.com algorithm is apparently broken, and the choice of both 
a 16-byte and a 20-byte key seems dubious.

Is there a way we can agree on HMAC-SHA-256 with a 32-byte key, call it 
"hmac-sha256", and register it?

Can we agree that this is what we'll do, and implement it?

denis


----- Original Message ----- 
From: "Joseph Galbraith" <galb-list%vandyke.com@localhost>
To: <ietf-ssh%NetBSD.org@localhost>
Sent: Friday, March 18, 2011 19:17
Subject: SHA-2 based HMAC algorithm...


Is there a SHA-2 based HMAC algorithm specified in any of
the recent extension RFCs?

I looked but didn't see one.

Has anyone implement such a thing as a @domain.name extension?

Thanks,

Joseph