Re: SHA-2 based HMAC algorithm...

To: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Subject: Re: SHA-2 based HMAC algorithm...
From: "Mark D. Baushke" <mdb%juniper.net@localhost>
Date: Fri, 8 Apr 2011 07:24:11 -0700
Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost> writes:

> "denis bider" <d3%denisbider.com@localhost> writes:
> 
> >I have submitted a draft:
> >
> >http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-00.txt
> >
> >Comments appreciated.
> 
> Just one minor nit, you should probably specify in section 2 that lengths are
> in bytes (e.g. "32 bytes" rather than just "32"), given that there are bit-
> lengths used in the same sentence.
> 
> Also, should at least SHA2-256 be a SHOULD?  That seems to be the most common
> SHA2 variant around.
> 
> Anyone want to do some interop-testing with this?  I should be able to add
> support for it later in the week when (if) I get a free day.

Below is a patch adding support for it to OpenSSH 5.8p1.
(For best results used OpenSSL 0.9.8r as the ssl library.)

	-- Mark

Patch to OpenSSH 5.8p1 to support
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-00.txt

Index: openssh-5.8p1/mac.c
--- openssh-5.8p1/mac.c	2008-06-12 17:58:50.000000000 -0700
+++ openssh-5.8p1/mac.c	2011-04-08 07:13:30.764657000 -0700
@@ -57,6 +57,10 @@ struct {
 } macs[] = {
 	{ "hmac-sha1",			SSH_EVP, EVP_sha1, 0, -1, -1 },
 	{ "hmac-sha1-96",		SSH_EVP, EVP_sha1, 96, -1, -1 },
+	{ "hmac-sha2-256",		SSH_EVP, EVP_sha256, 0, -1, -1 },
+	{ "hmac-sha2-256-96",		SSH_EVP, EVP_sha256, 96, -1, -1 },
+	{ "hmac-sha2-512",		SSH_EVP, EVP_sha512, 0, -1, -1 },
+	{ "hmac-sha2-512-96",		SSH_EVP, EVP_sha512, 96, -1, -1 },
 	{ "hmac-md5",			SSH_EVP, EVP_md5, 0, -1, -1 },
 	{ "hmac-md5-96",		SSH_EVP, EVP_md5, 96, -1, -1 },
 	{ "hmac-ripemd160",		SSH_EVP, EVP_ripemd160, 0, -1, -1 },
Index: openssh-5.8p1/myproposal.h
--- openssh-5.8p1/myproposal.h	2011-01-13 03:00:22.000000000 -0800
+++ openssh-5.8p1/myproposal.h	2011-04-08 07:13:30.769646000 -0700
@@ -78,8 +78,9 @@
 #define	KEX_DEFAULT_MAC \
 	"hmac-md5,hmac-sha1,umac-64%openssh.com@localhost,hmac-ripemd160," \
 	"hmac-ripemd160%openssh.com@localhost," \
-	"hmac-sha1-96,hmac-md5-96"
+	"hmac-sha1-96,hmac-md5-96," \
+	"hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96"
 #define	KEX_DEFAULT_COMP	"none,zlib%openssh.com@localhost,zlib"
 #define	KEX_DEFAULT_LANG	""
 
Index: openssh-5.8p1/ssh.0
--- openssh-5.8p1/ssh.0	2011-02-03 17:00:02.000000000 -0800
+++ openssh-5.8p1/ssh.0	2011-04-08 07:13:30.796642000 -0700
@@ -389,8 +389,9 @@ AUTHENTICATION
      support similar authentication methods, but protocol 2 is the default
      since it provides additional mechanisms for confidentiality (the traffic
      is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and
-     integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160).  Protocol 1
-     lacks a strong mechanism for ensuring the integrity of the connection.
+     integrity (hmac-md5, hmac-sha1, hmac-sha2-256, hmac-sha2-512,
+     umac-64, hmac-ripemd160). Protocol 1 lacks a strong mechanism for
+     ensuring the integrity of the connection.
 
      The methods available for authentication are: GSSAPI-based
      authentication, host-based authentication, public key authentication,
Index: openssh-5.8p1/ssh.1
--- openssh-5.8p1/ssh.1	2010-11-19 20:21:03.000000000 -0800
+++ openssh-5.8p1/ssh.1	2011-04-08 07:13:30.897576000 -0700
@@ -664,7 +664,9 @@ Both protocols support similar authentic
 but protocol 2 is the default since
 it provides additional mechanisms for confidentiality
 (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
-and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160).
+and integrity (hmac-md5, hmac-sha1,
+hmac-sha2-256, hmac-sha2-512,
+umac-64, hmac-ripemd160).
 Protocol 1 lacks a strong mechanism for ensuring the
 integrity of the connection.
 .Pp
Index: openssh-5.8p1/ssh_config.0
--- openssh-5.8p1/ssh_config.0	2011-02-03 17:00:03.000000000 -0800
+++ openssh-5.8p1/ssh_config.0	2011-04-08 07:13:30.812638000 -0700
@@ -451,7 +451,9 @@ DESCRIPTION
              must be comma-separated.  The default is:
 
                    hmac-md5,hmac-sha1,umac-64%openssh.com@localhost,
-                   hmac-ripemd160,hmac-sha1-96,hmac-md5-96
+                   hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
+                   hmac-sha2-256,hmac-sha256-96,hmac-sha2-512,
+                   hmac-hmac-sha2-512-96
 
      NoHostAuthenticationForLocalhost
              This option can be used if the home directory is shared across
Index: openssh-5.8p1/ssh_config.5
--- openssh-5.8p1/ssh_config.5	2010-12-25 19:26:48.000000000 -0800
+++ openssh-5.8p1/ssh_config.5	2011-04-08 07:13:30.902578000 -0700
@@ -770,7 +770,9 @@ Multiple algorithms must be comma-separa
 The default is:
 .Bd -literal -offset indent
 hmac-md5,hmac-sha1,umac-64%openssh.com@localhost,
-hmac-ripemd160,hmac-sha1-96,hmac-md5-96
+hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
+hmac-sha2-256,hmac-sha256-96,hmac-sha2-512,
+hmac-sha2-512-96
 .Ed
 .It Cm NoHostAuthenticationForLocalhost
 This option can be used if the home directory is shared across machines.
Index: openssh-5.8p1/sshd.0
--- openssh-5.8p1/sshd.0	2011-02-03 17:00:02.000000000 -0800
+++ openssh-5.8p1/sshd.0	2011-04-08 07:13:30.839599000 -0700
@@ -167,8 +167,8 @@ AUTHENTICATION
      AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.  The
      client selects the encryption algorithm to use from those offered by the
      server.  Additionally, session integrity is provided through a
-     cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64
-     or hmac-ripemd160).
+     cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64,
+     hmac-ripemd160, hmac-sha2-256 or hmac-sha2-512).
 
      Finally, the server and the client enter an authentication dialog.  The
      client tries to authenticate itself using host-based authentication,
Index: openssh-5.8p1/sshd.8
--- openssh-5.8p1/sshd.8	2010-11-04 16:20:14.000000000 -0700
+++ openssh-5.8p1/sshd.8	2011-04-08 07:13:30.908565000 -0700
@@ -314,7 +314,8 @@ The client selects the encryption algori
 to use from those offered by the server.
 Additionally, session integrity is provided
 through a cryptographic message authentication code
-(hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160).
+(hmac-md5, hmac-sha1, umac-64, hmac-ripemd160,
+hmac-sha2-256 or hmac-sha2-512).
 .Pp
 Finally, the server and the client enter an authentication dialog.
 The client tries to authenticate itself using
Index: openssh-5.8p1/sshd_config.0
--- openssh-5.8p1/sshd_config.0	2011-02-03 17:00:02.000000000 -0800
+++ openssh-5.8p1/sshd_config.0	2011-04-08 07:13:30.881570000 -0700
@@ -375,7 +375,9 @@ DESCRIPTION
              separated.  The default is:
 
                    hmac-md5,hmac-sha1,umac-64%openssh.com@localhost,
-                   hmac-ripemd160,hmac-sha1-96,hmac-md5-96
+                   hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
+                   hmac-sha2-256,hmac-sha256-96,hmac-sha2-512,
+		    hmac-sha2-512-96
 
      Match   Introduces a conditional block.  If all of the criteria on the
              Match line are satisfied, the keywords on the following lines
Index: openssh-5.8p1/sshd_config.5
--- openssh-5.8p1/sshd_config.5	2010-12-25 19:26:48.000000000 -0800
+++ openssh-5.8p1/sshd_config.5	2011-04-08 07:13:30.926577000 -0700
@@ -654,7 +654,9 @@ Multiple algorithms must be comma-separa
 The default is:
 .Bd -literal -offset indent
 hmac-md5,hmac-sha1,umac-64%openssh.com@localhost,
-hmac-ripemd160,hmac-sha1-96,hmac-md5-96
+hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
+hmac-sha2-256,hmac-sha256-96,hmac-sha2-512,
+hmac-sha2-512-96
 .Ed
 .It Cm Match
 Introduces a conditional block.
References:
- Re: SHA-2 based HMAC algorithm...
  - From: Peter Gutmann
Prev by Date: Re: SHA-2 based HMAC algorithm...
Next by Date: Re: SHA-2 based HMAC algorithm...
Previous by Thread: Re: SHA-2 based HMAC algorithm...
Next by Thread: Re: SHA-2 based HMAC algorithm...
Indexes:
Home | Main Index | Thread Index | Old Index