-
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathalgorithm_guidance.json
More file actions
395 lines (395 loc) · 17.7 KB
/
Copy pathalgorithm_guidance.json
File metadata and controls
395 lines (395 loc) · 17.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
{
"categories": [
{
"name": "Ciphers",
"entries": [
{
"algorithms": ["chacha20-poly1305@openssh.com"],
"classification": "secure",
"rationale": "AEAD construction from ChaCha20 stream cipher and Poly1305 authenticator with proofs of security and an OpenSSH instantiation.",
"references": [
{"title": "Bernstein 2008", "url": "https://cr.yp.to/chacha/chacha-20080128.pdf"},
{"title": "RFC 8439", "url": "https://www.rfc-editor.org/rfc/rfc8439"},
{"title": "OpenSSH PROTOCOL.chacha20poly1305", "url": "https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.chacha20poly1305"}
]
},
{
"algorithms": ["aes256-gcm@openssh.com"],
"classification": "secure",
"rationale": "AES-GCM provides provable IND-CCA security with minimal overhead and is recommended by the mode's designers.",
"references": [
{"title": "McGrew & Viega 2004", "url": "https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm02/McGrewViega.pdf"}
]
},
{
"algorithms": ["aes128-gcm@openssh.com"],
"classification": "secure",
"rationale": "Same AEAD construction and proofs apply to 128-bit keys.",
"references": [
{"title": "McGrew & Viega 2004", "url": "https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm02/McGrewViega.pdf"}
]
},
{
"algorithms": ["aes256-ctr"],
"classification": "secure",
"rationale": "Counter mode keeps AES in a provably secure stream configuration when paired with a strong MAC, and RFC 4344 standardizes it for SSH.",
"references": [
{"title": "RFC 4344", "url": "https://www.rfc-editor.org/rfc/rfc4344"}
]
},
{
"algorithms": ["aes192-ctr"],
"classification": "secure",
"rationale": "Same security argument as the 256-bit variant.",
"references": [
{"title": "RFC 4344", "url": "https://www.rfc-editor.org/rfc/rfc4344"}
]
},
{
"algorithms": ["aes128-ctr"],
"classification": "secure",
"rationale": "Same security argument as the 256-bit variant.",
"references": [
{"title": "RFC 4344", "url": "https://www.rfc-editor.org/rfc/rfc4344"}
]
},
{
"algorithms": ["3des-cbc"],
"classification": "insecure",
"rationale": "64-bit block cipher vulnerable to the Sweet32 birthday attack against long-lived SSH sessions.",
"references": [
{"title": "Bhargavan & Leurent 2016", "url": "https://sweet32.info/SWEET32_CCS16.pdf"}
]
},
{
"algorithms": ["blowfish-cbc"],
"classification": "insecure",
"rationale": "64-bit block cipher subject to the same Sweet32 collision limits.",
"references": [
{"title": "Bhargavan & Leurent 2016", "url": "https://sweet32.info/SWEET32_CCS16.pdf"}
]
},
{
"algorithms": ["cast128-cbc"],
"classification": "insecure",
"rationale": "64-bit block cipher subject to the same Sweet32 collision limits.",
"references": [
{"title": "Bhargavan & Leurent 2016", "url": "https://sweet32.info/SWEET32_CCS16.pdf"}
]
},
{
"algorithms": ["arcfour", "arcfour128", "arcfour256"],
"classification": "insecure",
"rationale": "RC4 stream cipher exhibits serious bias attacks that recover keystream bytes in practice.",
"references": [
{"title": "AlFardan et al. 2013", "url": "https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper-alfardan.pdf"}
]
},
{
"algorithms": ["aes256-cbc", "aes192-cbc", "aes128-cbc"],
"classification": "insecure",
"rationale": "CBC mode without Encrypt-then-MAC suffers from practical padding-oracle attacks such as Lucky13.",
"references": [
{"title": "AlFardan & Paterson 2013", "url": "https://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf"}
]
}
]
},
{
"name": "Message Authentication Codes",
"entries": [
{
"algorithms": ["hmac-sha2-512-etm@openssh.com"],
"classification": "secure",
"rationale": "HMAC inherits SHA-512's collision resistance and Encrypt-then-MAC prevents padding oracles.",
"references": [
{"title": "Bellare, Canetti & Krawczyk 1996", "url": "https://cseweb.ucsd.edu/~mihir/papers/hmac.pdf"},
{"title": "Krawczyk 2001", "url": "https://iacr.org/archive/crypto2001/21390229.pdf"}
]
},
{
"algorithms": ["hmac-sha2-256-etm@openssh.com"],
"classification": "secure",
"rationale": "Same guarantees as the 512-bit variant.",
"references": [
{"title": "Bellare, Canetti & Krawczyk 1996", "url": "https://cseweb.ucsd.edu/~mihir/papers/hmac.pdf"},
{"title": "Krawczyk 2001", "url": "https://iacr.org/archive/crypto2001/21390229.pdf"}
]
},
{
"algorithms": ["hmac-sha2-512"],
"classification": "secure",
"rationale": "HMAC proof gives strong unforgeability so long as SHA-512 remains preimage-resistant.",
"references": [
{"title": "Bellare, Canetti & Krawczyk 1996", "url": "https://cseweb.ucsd.edu/~mihir/papers/hmac.pdf"}
]
},
{
"algorithms": ["hmac-sha2-256"],
"classification": "secure",
"rationale": "Same proof applies to the 256-bit digest.",
"references": [
{"title": "Bellare, Canetti & Krawczyk 1996", "url": "https://cseweb.ucsd.edu/~mihir/papers/hmac.pdf"}
]
},
{
"algorithms": ["umac-128-etm@openssh.com"],
"classification": "secure",
"rationale": "UMAC's ε-almost-universal hash guarantees 128-bit tag security and EtM hardens SSH framing.",
"references": [
{"title": "Black et al. 1999", "url": "https://link.springer.com/chapter/10.1007/3-540-48405-1_24"},
{"title": "Krawczyk 2001", "url": "https://iacr.org/archive/crypto2001/21390229.pdf"}
]
},
{
"algorithms": ["umac-128@openssh.com"],
"classification": "secure",
"rationale": "Same ε-almost-universal hash analysis applies when SSH performs integrity then encryption.",
"references": [
{"title": "Black et al. 1999", "url": "https://link.springer.com/chapter/10.1007/3-540-48405-1_24"}
]
},
{
"algorithms": ["umac-128"],
"classification": "secure",
"rationale": "Same as above for the generic algorithm name.",
"references": [
{"title": "Black et al. 1999", "url": "https://link.springer.com/chapter/10.1007/3-540-48405-1_24"}
]
},
{
"algorithms": ["hmac-sha1", "hmac-sha1-96"],
"classification": "insecure",
"rationale": "While HMAC-SHA1 remains theoretically secure against collision attacks, it is deprecated due to reduced cryptographic margins and industry best practices recommend migration to SHA-2 based MACs.",
"references": [
{"title": "Stevens et al. 2017", "url": "https://shattered.io/static/shattered.pdf"},
{"title": "Bellare et al. 2006", "url": "https://eprint.iacr.org/2006/043.pdf"}
]
},
{
"algorithms": ["hmac-md5", "hmac-md5-96"],
"classification": "insecure",
"rationale": "MD5 collision attacks invalidate HMAC-MD5's binding.",
"references": [
{"title": "Wang & Yu 2005", "url": "https://link.springer.com/chapter/10.1007/11426639_1"}
]
},
{
"algorithms": ["umac-64"],
"classification": "insecure",
"rationale": "64-bit tags only give 32-bit birthday security, which UMAC's own analysis warns is insufficient for modern SSH volumes.",
"references": [
{"title": "Black et al. 1999", "url": "https://link.springer.com/chapter/10.1007/3-540-48405-1_24"}
]
},
{
"algorithms": ["none"],
"classification": "insecure",
"rationale": "Disables integrity entirely and violates SSH's mandatory MAC requirement.",
"references": [
{"title": "RFC 4253", "url": "https://www.rfc-editor.org/rfc/rfc4253"}
]
}
]
},
{
"name": "Key Exchange Algorithms",
"entries": [
{
"algorithms": ["curve25519-sha256"],
"classification": "secure",
"rationale": "Twist-secure Montgomery curve with security slightly under 128 bits and well-analyzed implementations.",
"references": [
{"title": "Bernstein 2006", "url": "https://cr.yp.to/ecdh/curve25519-20060209.pdf"},
{"title": "RFC 7748", "url": "https://www.rfc-editor.org/rfc/rfc7748"}
]
},
{
"algorithms": ["curve25519-sha256@libssh.org"],
"classification": "secure",
"rationale": "Same properties as above, differing only in identification string.",
"references": [
{"title": "Bernstein 2006", "url": "https://cr.yp.to/ecdh/curve25519-20060209.pdf"},
{"title": "RFC 7748", "url": "https://www.rfc-editor.org/rfc/rfc7748"}
]
},
{
"algorithms": ["diffie-hellman-group14-sha256"],
"classification": "secure",
"rationale": "2048-bit MODP group delivers ~112-bit strength and avoids SHA-1 collisions.",
"references": [
{"title": "Lenstra & Verheul 2001", "url": "https://link.springer.com/article/10.1007/s00145-001-0009-4"},
{"title": "Adrian et al. 2015", "url": "https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf"}
]
},
{
"algorithms": ["diffie-hellman-group16-sha512"],
"classification": "secure",
"rationale": "4096-bit MODP group maps to ~152-bit strength.",
"references": [
{"title": "Lenstra & Verheul 2001", "url": "https://link.springer.com/article/10.1007/s00145-001-0009-4"}
]
},
{
"algorithms": ["diffie-hellman-group18-sha512"],
"classification": "secure",
"rationale": "8192-bit MODP group exceeds 192-bit strength targets.",
"references": [
{"title": "Lenstra & Verheul 2001", "url": "https://link.springer.com/article/10.1007/s00145-001-0009-4"}
]
},
{
"algorithms": ["diffie-hellman-group-exchange-sha256"],
"classification": "secure",
"rationale": "Ephemeral MODP parameters sized per policy mitigate precomputation per Logjam guidance.",
"references": [
{"title": "Adrian et al. 2015", "url": "https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf"}
]
},
{
"algorithms": ["sntrup761x25519-sha512@openssh.com"],
"classification": "secure",
"rationale": "Combines NTRU Prime (post-quantum) with Curve25519 (classical) for hybrid security.",
"references": [
{"title": "Bernstein et al. 2017", "url": "https://ntruprime.cr.yp.to/ntruprime-20170628.pdf"},
{"title": "OpenSSH sshd_config", "url": "https://github.com/openssh/openssh-portable/blob/master/sshd_config.5"}
]
},
{
"algorithms": ["sntrup761x25519-sha512"],
"classification": "secure",
"rationale": "Same construction as above without the OpenSSH suffix.",
"references": [
{"title": "Bernstein et al. 2017", "url": "https://ntruprime.cr.yp.to/ntruprime-20170628.pdf"},
{"title": "OpenSSH sshd_config", "url": "https://github.com/openssh/openssh-portable/blob/master/sshd_config.5"}
]
},
{
"algorithms": ["mlkem768x25519-sha256"],
"classification": "secure",
"rationale": "Hybrid Kyber (ML-KEM-768) plus Curve25519 exchange vetted by the Kyber team.",
"references": [
{"title": "Bos et al. 2017", "url": "https://eprint.iacr.org/2017/634.pdf"},
{"title": "OpenSSH sshd_config", "url": "https://github.com/openssh/openssh-portable/blob/master/sshd_config.5"}
]
},
{
"algorithms": ["kex-strict-s-v00@openssh.com"],
"classification": "secure",
"rationale": "OpenSSH strict key exchange extension mitigates CVE-2023-48795 (Terrapin attack) by enforcing strict message sequencing and resetting sequence numbers after key exchange.",
"references": [
{"title": "OpenSSH sshd_config", "url": "https://github.com/openssh/openssh-portable/blob/master/sshd_config.5"},
{"title": "Terrapin Attack", "url": "https://terrapin-attack.com"}
]
},
{
"algorithms": ["ext-info-s"],
"classification": "secure",
"rationale": "RFC 8308 extension provides capability discovery after key exchange, enabling negotiation of additional features. Used with kex-strict for enhanced security.",
"references": [
{"title": "RFC 8308", "url": "https://www.rfc-editor.org/rfc/rfc8308"}
]
},
{
"algorithms": ["diffie-hellman-group1-sha1"],
"classification": "insecure",
"rationale": "1024-bit MODP group falls to the Logjam precomputation attack.",
"references": [
{"title": "Adrian et al. 2015", "url": "https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf"}
]
},
{
"algorithms": ["diffie-hellman-group14-sha1"],
"classification": "insecure",
"rationale": "Although the modulus is large enough, the SHA-1 hash in the transcript is collision-prone.",
"references": [
{"title": "Stevens et al. 2017", "url": "https://shattered.io/static/shattered.pdf"}
]
},
{
"algorithms": ["diffie-hellman-group-exchange-sha1"],
"classification": "insecure",
"rationale": "Same SHA-1 transcript risk as above plus potential parameter downgrades.",
"references": [
{"title": "Stevens et al. 2017", "url": "https://shattered.io/static/shattered.pdf"}
]
}
]
},
{
"name": "Host-Key Algorithms",
"entries": [
{
"algorithms": ["ssh-ed25519"],
"classification": "secure",
"rationale": "Ed25519 provides deterministic, side-channel resistant signatures at the 128-bit security level.",
"references": [
{"title": "Bernstein et al. 2012", "url": "https://cr.yp.to/papers/ed25519-20110926.pdf"},
{"title": "RFC 8709", "url": "https://www.rfc-editor.org/rfc/rfc8709"}
]
},
{
"algorithms": ["ssh-ed25519-cert-v01@openssh.com"],
"classification": "secure",
"rationale": "Same Ed25519 guarantees with OpenSSH certificate framing.",
"references": [
{"title": "Bernstein et al. 2012", "url": "https://cr.yp.to/papers/ed25519-20110926.pdf"},
{"title": "RFC 8709", "url": "https://www.rfc-editor.org/rfc/rfc8709"}
]
},
{
"algorithms": ["rsa-sha2-256"],
"classification": "secure",
"rationale": "RSA signatures hardened with SHA-256 resist the SHA-1 collision class of attacks.",
"references": [
{"title": "Boneh & Shoup 2020", "url": "https://toc.cryptobook.us/book.pdf"},
{"title": "RFC 8332", "url": "https://www.rfc-editor.org/rfc/rfc8332"}
]
},
{
"algorithms": ["rsa-sha2-512"],
"classification": "secure",
"rationale": "Same as above with a larger digest.",
"references": [
{"title": "Boneh & Shoup 2020", "url": "https://toc.cryptobook.us/book.pdf"},
{"title": "RFC 8332", "url": "https://www.rfc-editor.org/rfc/rfc8332"}
]
},
{
"algorithms": ["ssh-rsa-cert-v01@openssh.com"],
"classification": "secure",
"rationale": "Certificates inherit the stronger SHA-2 RSA signatures when configured accordingly.",
"notes": "Use with rsa-sha2-256/512",
"references": [
{"title": "Boneh & Shoup 2020", "url": "https://toc.cryptobook.us/book.pdf"},
{"title": "RFC 8332", "url": "https://www.rfc-editor.org/rfc/rfc8332"}
]
},
{
"algorithms": ["ssh-rsa"],
"classification": "insecure",
"rationale": "Uses SHA-1 signatures, which are forgeable via chosen-prefix collisions.",
"references": [
{"title": "Stevens et al. 2017", "url": "https://shattered.io/static/shattered.pdf"}
]
},
{
"algorithms": ["ssh-rsa-cert-v00@openssh.com"],
"classification": "insecure",
"rationale": "Certificate flavor that still relies on SHA-1 signatures.",
"references": [
{"title": "Stevens et al. 2017", "url": "https://shattered.io/static/shattered.pdf"}
]
},
{
"algorithms": ["ssh-dss"],
"classification": "insecure",
"rationale": "DSA keys are permanently limited to 1024 bits and were disabled by OpenSSH for insufficient security margin.",
"references": [
{"title": "OpenSSH 7.0 Release Notes", "url": "https://www.openssh.org/txt/release-7.0"}
]
}
]
}
]
}