Knowledge Base

Home > Miscellaneous > SSH: Security status of algorithms

Created
Modified

Print Article

Article 2725

SSH: Security status of algorithms

Public Key Algorithms

ssh-rsa, x509v3-ssh-rsa

Security Status: The SHA1 signature algorithm is considered weak and collisions are now practical: The first collision for full SHA-1.
Status in SmartFTP: Offered but refuses all keys with key length smaller than 1024 bits.

rsa-sha2-256, rsa-sha2-512, x509v3-rsa2048-sha256

Security Status: Secure.
Status in SmartFTP: Offered but refuses all keys with key length smaller than 1024 bits.

ssh-dss

Security Status: Insecure because of the inherit weakness (key length is limited to 1024 bits).
Status in SmartFTP: Only offered for compatibility with legacy servers. It will be removed in the near future.

ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521

Security Status: Secure with some concerns.
Status in SmartFTP: Offered.

ssh-ed25519

Security Status: Secure.
Status in SmartFTP: Offered and the preferred algorithm.

Key Exchange Algorithms

curve25519-sha256

Security Status: Secure.
Status in SmartFTP: Offered and the preferred algorithm.

ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521

Security Status: Secure with some concerns.
Status in SmartFTP: Offered.

diffie-hellman-group1-sha1

1024-bit Oakley Group 2.

Known Vulnerability

20. May 2015
Logjam attack

Paper: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

4. October 2016
Paper: A kilobit hidden SNFS discrete logarithm computation

Disabled by default in OpenSSH 7.0.

Security Status: Insecure.
Status in SmartFTP: Not offered

diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1

Security Status: DH groups with a group size equal or greater than 2048-bit are secure. But the SHA1 signature algorithm is considered weak and collisions are now practical: The first collision for full SHA-1.
Status in SmartFTP: Only offered for compatibility with legacy servers. It will be removed in the near future.

diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha256

Security Status: DH groups with a group size equal or greater than 2048-bit are secure. 
Status in SmartFTP: Offered.

diffie-hellman-group16-sha512

4096-bit Oakley Group 16.

Security Status: Secure
Status in SmartFTP: Offered.

Encryption Algorithms

3des-cbc

Known Vulnerability

2016
Sweet32: Sweet32: Birthday attacks on 64-bit block ciphers
Paper: On the Practical (In-)Security of 64-bit Block Ciphers

The attack is impractical for SSH2 because re-keying (when correctly implemented) must happen after every 1 GB of data transferred.

Security Status: Secure when re-keying is properly implemented. However discouraged and aes-ctr and aes-gcm are preferred.
Status in SmartFTP: Only offered for compatibility with legacy servers. It will be removed in the near future.

aes128-cbc, aes256-cbc

Known Vulnerability

24. November 2008
CERT Vulnerability Note VU#958563 - SSH CBC vulnerability

19. May 2009
The paper the CERT note was referring to, was published in Proceeding SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy:
Plaintext Recovery Attacks Against SSH

2009
OpenSSH's answer and mitigation:
OpenSSH Security Advisory: cbc.adv

Status: Secure when correctly implemented (e.g. OpenSSH 5.2 and higher). However discouraged and aes-ctr and aes-gcm are preferred.
Status in SmartFTP: Offered for compatibility with legacy servers.

aes128-ctr, aes256-ctr

Security Status: Secure.
Status in SmartFTP: Offered

aes128-gcm@openssh.com, aes256-gcm@openssh.com

Status: Secure.
Status in SmartFTP: Offered and the preferred algorithm.

Compression Algorithms

zlib

Security Status: Pre-authentication compression is suspect to multiple compression oracle attacks and offers an unnecessary attack surface. 

Status in SmartFTP: No longer offered. Post-authentication compression is still available with zlib@openssh.com.

Keywords

Related Articles


What do you think about this topic? Send feedback!