Re: New FIPS 180-2 hashes in OpenSSH?

From: Ben Harris (bjh21_at_bjh21.me.uk)
Date: 07/11/05 

Date: 11 Jul 2005 01:40:14 +0100 (BST)

In article <PIgAe.3729$p%3.22796@typhoon.sonic.net>,
David <shadoweyez@hotpop.com> wrote:
>Does any one know if SHA-224, 256, 384, and 512 are in OpenSSH or will
>be included for password hashing options (message authentication) for
>sshd. Specifically in the sshd_config man page:
>
>MACs Specifies the available MAC (message authentication code)
>algorithms. The MAC algorithm is used in protocol version 2 for data
>integrity protection. Multiple algorithms must be comma-separated. The
>default is
>``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''.
>
>The new version of OpenSSL, 0.98, now has support for these stronger
>version of SHA, and given the fact that it was recently shown by
>researchers that SHA1 is vulnerable to a key-space attack in 2^69
>operations as opposed to 2^80, meaning with hardware in a year or two
>SHA1 will become less effective, both ssh client and server should
>probably start supporting these.

This isn't a problem for HMAC, since breaking it requires a preimage attack,
not a collision attack. Thus, HMAC-SHA1 still requires 2^160 work to break.
Even HMAC-MD5 should be strong enough for most purposes at present, since
an HMAC cracker has to work within the rekey time (the default for which is
an hour) to be useful, unlike a cracker for the symmetric-encryption
algorithm.

The standard SSH-2 key-exchange methods also use SHA-1, but I think they're
resistant to collision attacks, at least when used with standard RSA and DSA
host keys. In any case, key-exchange methods using stronger hashes are in
the process of being standardised. 

-- 
Ben Harris

Relevant Pages

  • New FIPS 180-2 hashes in OpenSSH?
    ... MACs Specifies the available MAC (message authentication code) ... Multiple algorithms must be comma-separated. ... SHA1 will become less effective, both ssh client and server should ...
    (comp.security.ssh)
  • MAC problems
    ... As most of you well know i have been toying around with algorithms of my own ... I am using a sha512 hash of the plaintext as the MAC which is all ... practical cryptography, i'm reading practical cryptography at the moment. ...
    (sci.crypt)
  • Re: Standard graph API?
    ... How would the algorithms work without a standard API? ... [code generating template example snipped] ... Well -- I was rather aiming for a definition of a graph protocol ...
    (comp.lang.python)
  • Re: Illegal to do research on cryptography?
    ... by not knowing the standard ... > algorithms I am more likely to create something new. ... Does it occur to you that the reason all that literature exists is ... You won't just re-invent the wheel, you'll also have to re-invent the ...
    (sci.crypt)
  • RE: [Full-Disclosure] Re: Re-write with security in mind all ops.
    ... Except for important crypto was broken... ... "Opinion: Cryptanalysis of MD5 and SHA: Time for a new standard by Bruce ... researchers announced several weaknesses in common hash functions. ... They are used with public-key algorithms for both ...
    (Full-Disclosure)
Quantcast