Knowledge Base
Modified
SSH: Security status of algorithms
Public Key Algorithms
ssh-rsa, x509v3-ssh-rsa
Security Status: The SHA1 signature algorithm is considered weak and collisions are now practical: The first collision for full SHA-1.
Status in SmartFTP: Offered but refuses all keys with key length smaller than 1024 bits.
rsa-sha2-256, rsa-sha2-512, x509v3-rsa2048-sha256
Security Status: Secure.
Status in SmartFTP: Offered but refuses all keys with key length smaller than 1024 bits.
ssh-dss
Security Status: Insecure because of the inherit weakness (key length is limited to 1024 bits).
Status in SmartFTP: Only offered for compatibility with legacy servers. It will be removed in the near future.
ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521
Security Status: Secure with some concerns.
Status in SmartFTP: Offered.
ssh-ed25519
Security Status: Secure.
Status in SmartFTP: Offered and the preferred algorithm.
Key Exchange Algorithms
sntrup761x25519-sha512@openssh.com
Post-quantum key exchange method.
Status: Secure
Status in SmartFTP: Offered and the preferred algorithm.
curve25519-sha256
Security Status: Secure.
Status in SmartFTP: Offered.
ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521
Security Status: Secure with some concerns.
Status in SmartFTP: Offered.
diffie-hellman-group1-sha1
1024-bit Oakley Group 2.
Known Vulnerability
20. May 2015
Logjam attack
Paper: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
4. October 2016
Paper: A kilobit hidden SNFS discrete logarithm computation
Disabled by default in OpenSSH 7.0.
Security Status: Insecure.
Status in SmartFTP: Not offered
diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1
Security Status: DH groups with a group size equal or greater than 2048-bit are secure. But the SHA1 signature algorithm is considered weak and collisions are now practical: The first collision for full SHA-1.
Status in SmartFTP: Only offered for compatibility with legacy servers. It will be removed in the near future.
diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha256
Security Status: DH groups with a group size equal or greater than 2048-bit are secure.
Status in SmartFTP: Offered.
diffie-hellman-group16-sha512
4096-bit Oakley Group 16.
Security Status: Secure
Status in SmartFTP: Offered.
Encryption Algorithms
3des-cbc
Known Vulnerability
2016
Sweet32: Sweet32: Birthday attacks on 64-bit block ciphers
Paper: On the Practical (In-)Security of 64-bit Block Ciphers
The attack is impractical for SSH2 because re-keying (when correctly implemented) must happen after every 1 GB of data transferred.
Security Status: Secure when re-keying is properly implemented. However discouraged and aes-ctr and aes-gcm are preferred.
Status in SmartFTP: Only offered for compatibility with legacy servers. It will be removed in the near future.
aes128-cbc, aes256-cbc
Known Vulnerability
24. November 2008
CERT Vulnerability Note VU#958563 - SSH CBC vulnerability
19. May 2009
The paper the CERT note was referring to, was published in Proceeding SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy:
Plaintext Recovery Attacks Against SSH
2009
OpenSSH's answer and mitigation:
OpenSSH Security Advisory: cbc.adv
Status: Secure when correctly implemented (e.g. OpenSSH 5.2 and higher). However discouraged and aes-ctr and aes-gcm are preferred.
Status in SmartFTP: Offered for compatibility with legacy servers.
aes128-ctr, aes256-ctr
Security Status: Secure.
Status in SmartFTP: Offered
aes128-gcm@openssh.com, aes256-gcm@openssh.com
Status: Secure.
Status in SmartFTP: Offered and the preferred algorithm.
Compression Algorithms
zlib
Security Status: Pre-authentication compression is suspect to multiple compression oracle attacks and offers an unnecessary attack surface.
Status in SmartFTP: No longer offered. Post-authentication compression is still available with zlib@openssh.com.
Related Articles
What do you think about this topic? Send feedback!