Planning to upgrade Rebex which support/Uses sha2 encryption only?

0 votes
asked Dec 12, 2019 by salam (220 points)
retagged Dec 12, 2019 by salam

Hello,

I am using the Rebex version 2015 R3.1 in our project. As part of new feature we are planning to remove SHA1 encryption from our project and adding SHA2 instead. We could find that Rebex using SHA1, so we want to use Rebex which uses SHA2 encryption for SFTP transfer.

Please let us know which version we need to use for that.

Thanks & Regards,
Abdul Salam K.A

Applies to: SSH Pack

1 Answer

+1 vote
answered Dec 12, 2019 by Lukas Pokorny (106,330 points)
selected Jan 22 by salam
 
Best answer

Hello,

Please note that SHA-1 and SHA-2 are not encryption algorithms. They are cryptographic hash functions (or set cryptographic hash functions in case of SHA-2).

To only enable key SSH exchange algorithms, host key algorithms and MAC algorihms based on SHA-2 and disable those based on SHA-1, use at least Rebex SSH Pack 2016 R3 (although using the latest version is recommended) and call these before connecting:

obj.Settings.SshParameters.SetKeyExchangeAlgorithms(
    "diffie-hellman-group-exchange-sha256",
    "diffie-hellman-group16-sha512",
    "diffie-hellman-group15-sha512",
    "diffie-hellman-group14-sha256",
    "ecdh-sha2-nistp256",
    "ecdh-sha2-nistp384",
    "ecdh-sha2-nistp521",
    "curve25519-sha256@libssh.org");

obj.Settings.SshParameters.SetHostKeyAlgorithms(
    "ssh-rsa-sha256@ssh.com",
    "rsa-sha2-256",
    "rsa-sha2-512",
    "x509v3-sign-rsa-sha256@ssh.com",
    "ecdsa-sha2-nistp256",
    "ecdsa-sha2-nistp384",
    "ecdsa-sha2-nistp521",
    "ssh-ed25519");

obj.Settings.SshParameters.SetMacAlgorithms(
    "hmac-sha2-256-etm@openssh.com",
    "hmac-sha2-256",
    "hmac-sha2-512-etm@openssh.com",
    "hmac-sha2-512");

(Where obj is an instance of Sftp, Scp, Ssh or FileServer.)

If you would also like to disable AEAD encryption algorithms such as AES/GCM that are not used with any MAC cipher, only enable the rest:

obj.Settings.SshParameters.SetEncryptionAlgorithms(
    "aes256-ctr",
    "aes192-ctr",
    "aes128-ctr",
    "aes256-cbc",
    "aes192-cbc",
    "aes128-cbc",
    "3des-ctr",
    "3des-cbc",
    "twofish256-ctr",
    "twofish192-ctr",
    "twofish128-ctr",
    "twofish256-cbc",
    "twofish192-cbc",
    "twofish128-cbc");

(However, we do not believe there is any reason to do this - AEAD ciphers are secure enough.)

commented Dec 16, 2019 by salam (220 points)
Hi Lukas,

Thank you very much for quick response.

We are using the below code to  connect the ftp.

var ftp = new Sftp();

ftp.Connect(hostName);
ftp.Login(username, privateKey);
ftp.ChangeDirectory("directoryName");

Please confirm the which cryptographic hash function you are using if we connect with the above code?

Please confirm whether you are using  any cryptographic hash function  if we not specified any hashing method( ie SHA1/SHA2)?
commented Dec 16, 2019 by Lukas Pokorny (106,330 points)
If you don't specify any settings, some SSH based ciphers based on SHA-1 are still enabled, although SHA-2 based ciphers are preferred. This means the code above will use SSH ciphers based on SHA-2 hash function when connecting to SSH servers that support them, and ciphers based on SHA-1 when connecting to legacy SSH servers that only support SHA-1.
commented Dec 19, 2019 by salam (220 points)
while using the below code I am getting the below error,

'SshParameters' does not contain a definition for 'SetKeyExchangeAlgorithms' and no accessible extension method 'SetKeyExchangeAlgorithms' accepting a first argument of type 'SshParameters' could be found (are you missing a using directive or an assembly reference?)
'SshParameters' does not contain a definition for 'SetHostKeyAlgorithms' and no accessible extension method 'SetHostKeyAlgorithms' accepting a first argument of type 'SshParameters' could be found (are you missing a using directive or an assembly reference?)
'SshParameters' does not contain a definition for 'SetMacAlgorithms' and no accessible extension method 'SetMacAlgorithms' accepting a first argument of type 'SshParameters' could be found (are you missing a using directive or an assembly reference?)


while using the below code

var ftp = new Sftp();
            ftp.Settings.SshParameters.SetKeyExchangeAlgorithms(
                    "diffie-hellman-group-exchange-sha256",
                    "diffie-hellman-group16-sha512",
                    "diffie-hellman-group15-sha512",
                    "diffie-hellman-group14-sha256",
                    "ecdh-sha2-nistp256",
                    "ecdh-sha2-nistp384",
                    "ecdh-sha2-nistp521",
                    "curve25519-sha256@libssh.org");

            ftp.Settings.SshParameters.SetHostKeyAlgorithms(
                "ssh-rsa-sha256@ssh.com",
                "rsa-sha2-256",
                "rsa-sha2-512",
                "x509v3-sign-rsa-sha256@ssh.com",
                "ecdsa-sha2-nistp256",
                "ecdsa-sha2-nistp384",
                "ecdsa-sha2-nistp521",
                "ssh-ed25519");

            ftp.Settings.SshParameters.SetMacAlgorithms(
                "hmac-sha2-256-etm@openssh.com",
                "hmac-sha2-256",
                "hmac-sha2-512-etm@openssh.com",
                "hmac-sha2-512");
commented Dec 19, 2019 by Lukas Pokorny (106,330 points)
Hello, as I stated in my original reply, you have to use at least Rebex SSH Pack 2016 R3 (although using the latest version is recommended). Those methods have not been available in older versions.
commented Dec 19, 2019 by salam (220 points)
We are going to replace SHA 1 with SHA 256 as I said early and We are currently using below versions of software’s,

1.    Visual Studio 2019
2.    Net Framework 4.8
3.    SHA 256
Rebex:
Rebex.Common      2.0.5584.0
Rebex.Networking            3.0.5584.0
Rebex.Sftp         3.0.5584.0   


Could you please advise us which Rebex version we should use, to support our current environment or Requirements?
commented Dec 19, 2019 by Lukas Pokorny (106,330 points)
You should use the latest Rebex version (2018 R4.1, which corresponds to version number 5.0.7290.0).
commented Dec 19, 2019 by salam (220 points)
Hi Lukas,

Currently we have only below Rebex versions,

1.    Version 2015 R3.1 (from 2015-04-16)
2.    Version 2018 R2.1 (from 2018-09-03)
3.    Version 2019 R3.1 (from 2019-08-09)
4.    Version 2019 R4.1 (Latest version)

Please advise us which version is best fit for .Net Framework 4.8 and SHA 256.
commented Dec 19, 2019 by Lukas Pokorny (106,330 points)
Version 2019 R4.1 (Latest version) is the bet fit for this platform.
commented Dec 24, 2019 by salam (220 points)
Hi Lukas,

I am getting the below exception while connecting to SFTP Server,

Rebex.Net.SftpException: 'Negotiation failed. The client and the server have no common host key algorithm. Server supports 'ssh-dss' which is not enabled at the client.'

Inner Exception
SshException: The client and the server have no common host key algorithm.


Version:
Rebex.Common        - 5.0.7290.0
Rebex.Networking    - 5.0.7290.0
Rebex.Sftp                    - 5.0.7290.0

Code:
 var ftp = new Sftp();

ftp.Settings.SshParameters.SetKeyExchangeAlgorithms(
                    "diffie-hellman-group-exchange-sha256",
                    "diffie-hellman-group16-sha512",
                    "diffie-hellman-group15-sha512",
                    "diffie-hellman-group14-sha256",
                    "ecdh-sha2-nistp256",
                    "ecdh-sha2-nistp384",
                    "ecdh-sha2-nistp521",
                    "curve25519-sha256@libssh.org");

            ftp.Settings.SshParameters.SetHostKeyAlgorithms(
                "ssh-rsa-sha256@ssh.com",
                "rsa-sha2-256",
                "rsa-sha2-512",
                "x509v3-sign-rsa-sha256@ssh.com",
                "ecdsa-sha2-nistp256",
                "ecdsa-sha2-nistp384",
                "ecdsa-sha2-nistp521",
                "ssh-ed25519");

            ftp.Settings.SshParameters.SetMacAlgorithms(
                "hmac-sha2-256-etm@openssh.com",
                "hmac-sha2-256",
                "hmac-sha2-512-etm@openssh.com",
                "hmac-sha2-512");


            ftp.Connect("myserver");
            ftp.Login("username", "password");
            ftp.ChangeDirectory("ftpserver");


Please let us know if I missed something.
commented Dec 24, 2019 by Lukas Pokorny (106,330 points)
This looks like the server you are connecting to only supports host key ciphers based on SHA-1, such as "ssh-dss". Because you disabled all non-SHA-2 ciphers, you are no longer able to connect to this server.
commented Jan 7 by salam (220 points)
Hi Lukas,


If we used below code to  connect the sftp server.

var ftp = new Sftp();

ftp.Settings.SshParameters.SetKeyExchangeAlgorithms(
                    "diffie-hellman-group-exchange-sha256",
                    "diffie-hellman-group14-sha256"
                    );

ftp.Connect(hostName);
ftp.Login(username, privateKey);
ftp.ChangeDirectory("directoryName");

Please confirm the which cryptographic hash function you are using if we connect with the above code?
commented Jan 7 by Lukas Pokorny (106,330 points)
If you connect with the code above, only SHA-256 will be used for SSH key exchange.

However, SHA-1 could still be used for server authentication (use SetHostKeyAlgorithm method to configure that) and for message authentication (use SetMacAlgorithms method to configure that).
commented Jan 22 by salam (220 points)
Lukkas, thank you very much for your support :)
...