On Fri, 14 Oct 2005, Stephen J. Smoogen wrote:

> On 10/14/05, David wrote:
>> Please forgive if this is the wrong place...
>> As a user of the excellent ssh and sshd I would like to see the next
>> version of openssh contain support for the SHA-2 hashes (SHA-256,
>> SHA-384, and SHA-512) as the SHA-1 hash is now known to be vulnerable to
>> a 2^69 and possibly a 2^63 key-space search. As of version 0.98 openssl
>> contained support for these hashes so it would be nice if openssh
>> followed suit.

> There are several questions that would need to be answered:
> 1) Does the SSH spec allow for any algorithms other than SHA1? If it
> doesnt then the first place to work it through would be the IETF. [I
> do not know the answer myself..]

For the per-packet MAC, only HMAC-SHA1 and HMAC-MD5 are supported. In
reality, even these are overkill (in terms of MAC length).

Wang, Yin and Yu's results on SHA1 don't matter for its use in HMAC

> 2) How long do you want your message to be secure? If you say
> forever... then you are best off not saying anything. If you say 100
> years.. it would probably be best not to say anything. If you are
> looking for 10 years then does the search space time for 2^60 or more
> fit into that time frame. (Searching 2^30 (approx 1 billion keys) a
> second it would take 34 years to search for this. This doesnt take in
> account parrelization or other items).

Finding a hash collision doesn't render your encrypted messages


openssh-unix-dev mailing list