| Summary: | [PATCH] HMAC should use sha1 instead of md5 by default | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Daniel Black <daniel.subs> | ||||
| Component: | ssh | Assignee: | Assigned to nobody <unassigned-bugs> | ||||
| Status: | CLOSED WONTFIX | ||||||
| Severity: | normal | CC: | djm | ||||
| Priority: | P2 | ||||||
| Version: | 5.2p1 | ||||||
| Hardware: | Other | ||||||
| OS: | Linux | ||||||
| Attachments: |
|
||||||
I don't think there is any strong reason to switch from HMAC-MD5 yet; HMAC-MD5 is not affected by the recent-ish MD5 bugs and SSH's use of the MAC would much more difficult to exploit still (there is no length-extension that can be performed). See http://www.ietf.org/mail-archive/web/cfrg/current/msg01196.html for an opinion by a real cryptographer. If we do change, it will probably be to umac-64@openssh.com as first preference MAC, and that will be as much for performance reasons as anything else. (Please note: "appeasing clueless auditors" is not a reason we will ever respond to). (In reply to comment #1) > I don't think there is any strong reason to switch from HMAC-MD5 yet; > http://www.ietf.org/mail-archive/web/cfrg/current/msg01196.html nice article - thanks > umac-64@openssh.com ok. > (Please note: "appeasing clueless auditors" is not a reason we will > ever respond to). acknowledged. Sorry for mentioning it. won't happen again. oops, forgot to close this at the time. Mass move of RESOLVED bugs to CLOSED now that 5.3 is out. |
Created attachment 1619 [details] openssh-hmac-sha1-prefered-cvs.patch Both ssh and sshd should use sha1 in preference to md5. This is currently not the case. It would be nicer for sha1 to be the default, even if it just stops the audit people from saying 'bad bad - using that flawed md5'. I acknowledge that the control is totally in the ssh client end however reordering both isn't that hard. patch attached performs this function.