New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verify the current crypto settings #162

Closed
artem-sidorenko opened this Issue Jan 14, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@artem-sidorenko
Member

artem-sidorenko commented Jan 14, 2017

@bazbremner raised this point in the GH-141 and myself and @atomic111 had this topic also in some phone call in the last days

So we should check following things:

  • kex, macs, ciphers
  • used algorithms for public key authentication - currently we use RSA and ECDSA, DSA is going to be removed (GH-161)

My idea would be to go completely through the following docs and check the things above:

I already have some interesting findings: as I said above, we use ECDSA and here the snippet from the blogpost of @stribika:

  1. ECDSA with SHA256, SHA384 or SHA512 depending on key size
    ...
    Number 2 here involves NIST suckage and should be disabled as well. Another important disadvantage of DSA and ECDSA is that it uses randomness for each signature. If the random numbers are not the best quality, then it is possible to recover the secret key.

Maybe it would be also nice to ask @stribika for a review of our findings and changes.

@atomic111 what do you think? something I missed? Do you have time to do this in the next week, if not - its fine, I can do this and you can review it :)

@atomic111

This comment has been minimized.

Show comment
Hide comment
@atomic111

atomic111 Jan 24, 2017

Member

@artem-sidorenko no update of ciphers, macs and kexs needed. but we have to update the ssh host keys according to the list in dev-sec/ssh-baseline#76

Member

atomic111 commented Jan 24, 2017

@artem-sidorenko no update of ciphers, macs and kexs needed. but we have to update the ssh host keys according to the list in dev-sec/ssh-baseline#76

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Jan 24, 2017

Member

@atomic111 Ok, I'll provide a PR in the next days

Member

artem-sidorenko commented Jan 24, 2017

@atomic111 Ok, I'll provide a PR in the next days

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Jan 24, 2017

Member

thanks:)

Member

artem-sidorenko commented Jan 24, 2017

thanks:)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment