IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1



I implemented diffie-hellman-group14-sha256 (and -group15-sha512,
-group16-sha512, -group17-sha512, and -group18-sha512) some time ago.
Or, at least, so I thought.

Yesterday, I ran into a server that ignored the REQUIRED kex methods in
4253 6.5, offering neither of them.  This is admittedly on them, but I
did note they offered diffie-hellman-group14-sha256, among others,
making this an opportunity to try out my new code.  On investigating
why it wasn't negotiating diffie-hellman-group14-sha256, I discovered I
hadn't installed the new version.  So I did, I tried it out...and the
host key signature check fails.  Consistently.

It is conceivable, I suppose, that all my test connections are being
MitMed.  But it strikes me as more likely that I have a bug in my new
code.

The signature check is failing with a disagreement in the low 160 bits
of the result.  This strikes me as suspicious, because that's the size
of a SHA-1 result.  On code examination, it turns out this is because
the host key in question is an ssh-rsa key and ssh-rsa is defined to
use SHA-1.  I don't offhand see anything that calls for changing this,
but I could easily have missed something; is it correct to continue to
use SHA-1 there even when using a -sha256 or -sha512 kex method?

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B



Home | Main Index | Thread Index | Old Index