[Cyberduck-trac] [Cyberduck] #8537: Add ability to deactivate weak crypto, SHA-1, DES etc.
Cyberduck
trac at trac.cyberduck.io
Fri Feb 6 06:38:03 UTC 2015
#8537: Add ability to deactivate weak crypto, SHA-1, DES etc.
------------------------------------+-------------------------
Reporter: lbort | Owner: dkocher
Type: enhancement | Status: assigned
Priority: normal | Milestone: 4.7
Component: sftp | Version: 4.6.4
Severity: normal | Resolution:
Keywords: ssh, kex, ciphers, mac | Architecture: Intel
Platform: |
------------------------------------+-------------------------
Comment (by lbort):
Sorry, I was pretty busy, but here my list. I am not completly familiar
with the notation, I hope I got it right.
{{{ [kex=diffie-hellman-group14-sha1; kex=diffie-hellman-group1-sha;
c2sCipher=aes128-cbc; c2sCipher=aes192-cbc; c2sCipher=aes256-cbc;
c2sCipher=blowfish-cbc; c2sCipher=3des-cbc; c2sMAC=hmac-md5; c2sMAC=hmac-
md5-96; c2sMAC=hmac-sha1; c2sMAC=hmac-sha1-96; s2cCipher=aes128-cbc;
s2cCipher=aes192-cbc; s2cCipher=aes256-cbc; s2cCipher=blowfish-cbc;
s2cCipher=3des-cbc; s2cMAC=hmac-md5; s2cMAC=hmac-md5-96; s2cMAC=hmac-sha1;
s2cMAC=hmac-sha1-96; sig=SHA1withDSA; sig=SHA256withECDSA ] }}}
This is a quite long list, but all of the above are either using broken
algorithms like MD5 and SHA-1, or too short keys like DSA, or rely on NIST
curves, which can't be trusted either. I am not entirely sure about the
aes-cbc ciphers, but I assume they are also vulnerable. I didn't read
everything, but for some info about that, see
http://www.openssh.com/txt/cbc.adv
and
http://homes.cs.washington.edu/~yoshi/papers/TISSEC04/
The list includes all currently supported kex-algorithms, so at least one
of the suggested kex-algorithms needs to be implemented before activating
the warning, otherwise it will always pop up. I also suggest putting the
stronger ciphers with the longer keys first in the list of all available
algorithms, since apparently the client chooses the first one in his list
that is also supported by the server. In the long run, some more
algorithms might be nice for the other part besides key-exchange, to be as
compatible and secure as possible.
--
Ticket URL: <https://trac.cyberduck.io/ticket/8537#comment:10>
Cyberduck <http://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list