Planning to upgrade Rebex which support/Uses sha2 encryption only?

0 votes
asked Dec 12, 2019 by salam (220 points)
retagged Dec 12, 2019 by salam

Hello,

I am using the Rebex version 2015 R3.1 in our project. As part of new feature we are planning to remove SHA1 encryption from our project and adding SHA2 instead. We could find that Rebex using SHA1, so we want to use Rebex which uses SHA2 encryption for SFTP transfer.

Please let us know which version we need to use for that.

Thanks & Regards,
Abdul Salam K.A

Applies to: SSH Pack

1 Answer

+1 vote
answered Dec 12, 2019 by Lukas Pokorny (107,350 points)
selected Jan 22 by salam
 
Best answer

Hello,

Please note that SHA-1 and SHA-2 are not encryption algorithms. They are cryptographic hash functions (or set cryptographic hash functions in case of SHA-2).

To only enable key SSH exchange algorithms, host key algorithms and MAC algorihms based on SHA-2 and disable those based on SHA-1, use at least Rebex SSH Pack 2016 R3 (although using the latest version is recommended) and call these before connecting:

obj.Settings.SshParameters.SetKeyExchangeAlgorithms(
    "diffie-hellman-group-exchange-sha256",
    "diffie-hellman-group16-sha512",
    "diffie-hellman-group15-sha512",
    "diffie-hellman-group14-sha256",
    "ecdh-sha2-nistp256",
    "ecdh-sha2-nistp384",
    "ecdh-sha2-nistp521",
    "curve25519-sha256@libssh.org");

obj.Settings.SshParameters.SetHostKeyAlgorithms(
    "ssh-rsa-sha256@ssh.com",
    "rsa-sha2-256",
    "rsa-sha2-512",
    "x509v3-sign-rsa-sha256@ssh.com",
    "ecdsa-sha2-nistp256",
    "ecdsa-sha2-nistp384",
    "ecdsa-sha2-nistp521",
    "ssh-ed25519");

obj.Settings.SshParameters.SetMacAlgorithms(
    "hmac-sha2-256-etm@openssh.com",
    "hmac-sha2-256",
    "hmac-sha2-512-etm@openssh.com",
    "hmac-sha2-512");

(Where obj is an instance of Sftp, Scp, Ssh or FileServer.)

If you would also like to disable AEAD encryption algorithms such as AES/GCM that are not used with any MAC cipher, only enable the rest:

obj.Settings.SshParameters.SetEncryptionAlgorithms(
    "aes256-ctr",
    "aes192-ctr",
    "aes128-ctr",
    "aes256-cbc",
    "aes192-cbc",
    "aes128-cbc",
    "3des-ctr",
    "3des-cbc",
    "twofish256-ctr",
    "twofish192-ctr",
    "twofish128-ctr",
    "twofish256-cbc",
    "twofish192-cbc",
    "twofish128-cbc");

(However, we do not believe there is any reason to do this - AEAD ciphers are secure enough.)

commented Dec 24, 2019 by salam (220 points)
Hi Lukas,

I am getting the below exception while connecting to SFTP Server,

Rebex.Net.SftpException: 'Negotiation failed. The client and the server have no common host key algorithm. Server supports 'ssh-dss' which is not enabled at the client.'

Inner Exception
SshException: The client and the server have no common host key algorithm.


Version:
Rebex.Common        - 5.0.7290.0
Rebex.Networking    - 5.0.7290.0
Rebex.Sftp                    - 5.0.7290.0

Code:
 var ftp = new Sftp();

ftp.Settings.SshParameters.SetKeyExchangeAlgorithms(
                    "diffie-hellman-group-exchange-sha256",
                    "diffie-hellman-group16-sha512",
                    "diffie-hellman-group15-sha512",
                    "diffie-hellman-group14-sha256",
                    "ecdh-sha2-nistp256",
                    "ecdh-sha2-nistp384",
                    "ecdh-sha2-nistp521",
                    "curve25519-sha256@libssh.org");

            ftp.Settings.SshParameters.SetHostKeyAlgorithms(
                "ssh-rsa-sha256@ssh.com",
                "rsa-sha2-256",
                "rsa-sha2-512",
                "x509v3-sign-rsa-sha256@ssh.com",
                "ecdsa-sha2-nistp256",
                "ecdsa-sha2-nistp384",
                "ecdsa-sha2-nistp521",
                "ssh-ed25519");

            ftp.Settings.SshParameters.SetMacAlgorithms(
                "hmac-sha2-256-etm@openssh.com",
                "hmac-sha2-256",
                "hmac-sha2-512-etm@openssh.com",
                "hmac-sha2-512");


            ftp.Connect("myserver");
            ftp.Login("username", "password");
            ftp.ChangeDirectory("ftpserver");


Please let us know if I missed something.
commented Dec 24, 2019 by Lukas Pokorny (107,350 points)
This looks like the server you are connecting to only supports host key ciphers based on SHA-1, such as "ssh-dss". Because you disabled all non-SHA-2 ciphers, you are no longer able to connect to this server.
commented Jan 7 by salam (220 points)
Hi Lukas,


If we used below code to  connect the sftp server.

var ftp = new Sftp();

ftp.Settings.SshParameters.SetKeyExchangeAlgorithms(
                    "diffie-hellman-group-exchange-sha256",
                    "diffie-hellman-group14-sha256"
                    );

ftp.Connect(hostName);
ftp.Login(username, privateKey);
ftp.ChangeDirectory("directoryName");

Please confirm the which cryptographic hash function you are using if we connect with the above code?
commented Jan 7 by Lukas Pokorny (107,350 points)
If you connect with the code above, only SHA-256 will be used for SSH key exchange.

However, SHA-1 could still be used for server authentication (use SetHostKeyAlgorithm method to configure that) and for message authentication (use SetMacAlgorithms method to configure that).
commented Jan 22 by salam (220 points)
Lukkas, thank you very much for your support :)
...