On Fri, 14 Oct 2005, Stephen J. Smoogen wrote:

> On 10/14/05, David wrote:
>> Please forgive if this is the wrong place...
>>
>> As a user of the excellent ssh and sshd I would like to see the next
>> version of openssh contain support for the SHA-2 hashes (SHA-256,
>> SHA-384, and SHA-512) as the SHA-1 hash is now known to be vulnerable to
>> a 2^69 and possibly a 2^63 key-space search. As of version 0.98 openssl
>> contained support for these hashes so it would be nice if openssh
>> followed suit.

>
> There are several questions that would need to be answered:
>
> 1) Does the SSH spec allow for any algorithms other than SHA1? If it
> doesnt then the first place to work it through would be the IETF. [I
> do not know the answer myself..]


For the per-packet MAC, only HMAC-SHA1 and HMAC-MD5 are supported. In
reality, even these are overkill (in terms of MAC length).

Wang, Yin and Yu's results on SHA1 don't matter for its use in HMAC
anyway.

> 2) How long do you want your message to be secure? If you say
> forever... then you are best off not saying anything. If you say 100
> years.. it would probably be best not to say anything. If you are
> looking for 10 years then does the search space time for 2^60 or more
> fit into that time frame. (Searching 2^30 (approx 1 billion keys) a
> second it would take 34 years to search for this. This doesnt take in
> account parrelization or other items).


Finding a hash collision doesn't render your encrypted messages
vulnerable.

-d

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev