IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
I implemented diffie-hellman-group14-sha256 (and -group15-sha512,
-group16-sha512, -group17-sha512, and -group18-sha512) some time ago.
Or, at least, so I thought.
Yesterday, I ran into a server that ignored the REQUIRED kex methods in
4253 6.5, offering neither of them. This is admittedly on them, but I
did note they offered diffie-hellman-group14-sha256, among others,
making this an opportunity to try out my new code. On investigating
why it wasn't negotiating diffie-hellman-group14-sha256, I discovered I
hadn't installed the new version. So I did, I tried it out...and the
host key signature check fails. Consistently.
It is conceivable, I suppose, that all my test connections are being
MitMed. But it strikes me as more likely that I have a bug in my new
code.
The signature check is failing with a disagreement in the low 160 bits
of the result. This strikes me as suspicious, because that's the size
of a SHA-1 result. On code examination, it turns out this is because
the host key in question is an ssh-rsa key and ssh-rsa is defined to
use SHA-1. I don't offhand see anything that calls for changing this,
but I could easily have missed something; is it correct to continue to
use SHA-1 there even when using a -sha256 or -sha512 kex method?
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse%rodents-montreal.org@localhost
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Home |
Main Index |
Thread Index |
Old Index