Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1

To: ietf-ssh%netbsd.org@localhost
Subject: Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
From: Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Tue, 13 Apr 2021 06:55:20 -0400 (EDT)

> Either OpenSSH in general, or some widely-used configuration of
> OpenSSH, does this out of the box,

OpenSSH in general does not; I have connected and do connect to plenty
of OpenSSH boxen with no MTI trouble at all.  I just checked with one
of them (a Raspberry pi I have because of work), and

569  remote version string: SSH-2.0-OpenSSH_7.9p1 Raspbian-10+deb10u2
...
580  pi: peer's algorithms (%=unrecognized, *=disabled):
581           kex: %curve25519-sha256 %curve25519-sha256%libssh.org@localhost %ecdh-sha2-nistp256 %ecdh-sha2-nistp384 %ecdh-sha2-nistp521 %diffie-hellman-group-exchange-sha256 diffie-hellman-group16-sha512 %diffie-hellman-group18-sha512 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1

so I suspect it's more a widely-used configuration.  (But even this
configuration offers only one of the two MTI kexen.)

> So with a bug workaround for nonstandard implementations you can
> connect OK, I get:

> Final accepted suite: diffie-hellman-group-exchange-sha256.
> Final accepted suite: rsa-sha2-256.
> Final accepted suite: aes128-ctr.
> Final accepted suite: hmac-sha2-256.

I'm not surprised.  While the remote end certainly exhibits a bug, in
that it doesn't offer the MTI kexen, I do not expect that the signature
failures I'm seeing with my group14-sha256 kex are the remote end's
fault.  And, indeed, late yesterday I found a bug in my code and now I
can connect fine.  (When writing the -sha256 and -sha512 code, it looks
as though I copied the -sha1 code and changed too little of it.  I was
setting the kex hash size to 20 even for -sha256 and -sha512.)

>> The signature check is failing with a disagreement in the low 160
>> bits of the result.  This strikes me as suspicious, because that's
>> the size of a SHA-1 result.  On code examination, it turns out this
>> is because the host key in question is an ssh-rsa key and ssh-rsa is
>> defined to use SHA-1.  [...]
> I'm getting SHA2 everywhere, see above, how are you getting SHA1?

Because the host key is used to sign the kex hash, and it's an ssh-rsa
key, so its signatures are defined to use SHA-1.  (The peer offers
rsa-sha2-512 rsa-sha2-256 ssh-rsa ecdsa-sha2-nistp256 ssh-ed25519, but
the only one of those I implement is ssh-rsa.  I should go looking for
specs to implement rsa-sha2-256 and rsa-sha2-512; I was not previously
aware they existed....)

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Follow-Ups:
- Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
  - From: Peter Gutmann

References:
- diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
  - From: Mouse
- Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
  - From: Peter Gutmann
- Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
  - From: Mouse
- Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
  - From: Peter Gutmann

Prev by Date: Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
Next by Date: Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
Previous by Thread: Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
Next by Thread: Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1
Indexes:

Home | Main Index | Thread Index | Old Index