Ask a Question

Planning to upgrade Rebex which support/Uses sha2 encryption only?

0 votes
by (280 points)
retagged by

Hello,

I am using the Rebex version 2015 R3.1 in our project. As part of new feature we are planning to remove SHA1 encryption from our project and adding SHA2 instead. We could find that Rebex using SHA1, so we want to use Rebex which uses SHA2 encryption for SFTP transfer.

Please let us know which version we need to use for that.

Thanks & Regards,
Abdul Salam K.A

Applies to: SSH Pack

1 Answer

+1 vote
by (144k points)
selected by
 
Best answer

Hello,

Please note that SHA-1 and SHA-2 are not encryption algorithms. They are cryptographic hash functions (or set cryptographic hash functions in case of SHA-2).

To only enable key SSH exchange algorithms, host key algorithms and MAC algorihms based on SHA-2 and disable those based on SHA-1, use at least Rebex SSH Pack 2016 R3 (although using the latest version is recommended) and call these before connecting:

obj.Settings.SshParameters.SetKeyExchangeAlgorithms(
    "diffie-hellman-group-exchange-sha256",
    "diffie-hellman-group16-sha512",
    "diffie-hellman-group15-sha512",
    "diffie-hellman-group14-sha256",
    "ecdh-sha2-nistp256",
    "ecdh-sha2-nistp384",
    "ecdh-sha2-nistp521",
    "curve25519-sha256@libssh.org");

obj.Settings.SshParameters.SetHostKeyAlgorithms(
    "ssh-rsa-sha256@ssh.com",
    "rsa-sha2-256",
    "rsa-sha2-512",
    "x509v3-sign-rsa-sha256@ssh.com",
    "ecdsa-sha2-nistp256",
    "ecdsa-sha2-nistp384",
    "ecdsa-sha2-nistp521",
    "ssh-ed25519");

obj.Settings.SshParameters.SetMacAlgorithms(
    "hmac-sha2-256-etm@openssh.com",
    "hmac-sha2-256",
    "hmac-sha2-512-etm@openssh.com",
    "hmac-sha2-512");

(Where obj is an instance of Sftp, Scp, Ssh or FileServer.)

If you would also like to disable AEAD encryption algorithms such as AES/GCM that are not used with any MAC cipher, only enable the rest:

obj.Settings.SshParameters.SetEncryptionAlgorithms(
    "aes256-ctr",
    "aes192-ctr",
    "aes128-ctr",
    "aes256-cbc",
    "aes192-cbc",
    "aes128-cbc",
    "3des-ctr",
    "3des-cbc",
    "twofish256-ctr",
    "twofish192-ctr",
    "twofish128-ctr",
    "twofish256-cbc",
    "twofish192-cbc",
    "twofish128-cbc");

(However, we do not believe there is any reason to do this - AEAD ciphers are secure enough.)

by (280 points)
Hi Lukas,

Thank you very much for quick response.

We are using the below code to  connect the ftp.

var ftp = new Sftp();

ftp.Connect(hostName);
ftp.Login(username, privateKey);
ftp.ChangeDirectory("directoryName");

Please confirm the which cryptographic hash function you are using if we connect with the above code?

Please confirm whether you are using  any cryptographic hash function  if we not specified any hashing method( ie SHA1/SHA2)?
by (144k points)
If you don't specify any settings, some SSH based ciphers based on SHA-1 are still enabled, although SHA-2 based ciphers are preferred. This means the code above will use SSH ciphers based on SHA-2 hash function when connecting to SSH servers that support them, and ciphers based on SHA-1 when connecting to legacy SSH servers that only support SHA-1.
by (280 points)
while using the below code I am getting the below error,

'SshParameters' does not contain a definition for 'SetKeyExchangeAlgorithms' and no accessible extension method 'SetKeyExchangeAlgorithms' accepting a first argument of type 'SshParameters' could be found (are you missing a using directive or an assembly reference?)
'SshParameters' does not contain a definition for 'SetHostKeyAlgorithms' and no accessible extension method 'SetHostKeyAlgorithms' accepting a first argument of type 'SshParameters' could be found (are you missing a using directive or an assembly reference?)
'SshParameters' does not contain a definition for 'SetMacAlgorithms' and no accessible extension method 'SetMacAlgorithms' accepting a first argument of type 'SshParameters' could be found (are you missing a using directive or an assembly reference?)


while using the below code

var ftp = new Sftp();
            ftp.Settings.SshParameters.SetKeyExchangeAlgorithms(
                    "diffie-hellman-group-exchange-sha256",
                    "diffie-hellman-group16-sha512",
                    "diffie-hellman-group15-sha512",
                    "diffie-hellman-group14-sha256",
                    "ecdh-sha2-nistp256",
                    "ecdh-sha2-nistp384",
                    "ecdh-sha2-nistp521",
                    "curve25519-sha256@libssh.org");

            ftp.Settings.SshParameters.SetHostKeyAlgorithms(
                "ssh-rsa-sha256@ssh.com",
                "rsa-sha2-256",
                "rsa-sha2-512",
                "x509v3-sign-rsa-sha256@ssh.com",
                "ecdsa-sha2-nistp256",
                "ecdsa-sha2-nistp384",
                "ecdsa-sha2-nistp521",
                "ssh-ed25519");

            ftp.Settings.SshParameters.SetMacAlgorithms(
                "hmac-sha2-256-etm@openssh.com",
                "hmac-sha2-256",
                "hmac-sha2-512-etm@openssh.com",
                "hmac-sha2-512");
by (144k points)
Hello, as I stated in my original reply, you have to use at least Rebex SSH Pack 2016 R3 (although using the latest version is recommended). Those methods have not been available in older versions.
by (280 points)
We are going to replace SHA 1 with SHA 256 as I said early and We are currently using below versions of software’s,

1.    Visual Studio 2019
2.    Net Framework 4.8
3.    SHA 256
Rebex:
Rebex.Common      2.0.5584.0
Rebex.Networking            3.0.5584.0
Rebex.Sftp         3.0.5584.0   


Could you please advise us which Rebex version we should use, to support our current environment or Requirements?
by (144k points)
You should use the latest Rebex version (2018 R4.1, which corresponds to version number 5.0.7290.0).
by (280 points)
Hi Lukas,

Currently we have only below Rebex versions,

1.    Version 2015 R3.1 (from 2015-04-16)
2.    Version 2018 R2.1 (from 2018-09-03)
3.    Version 2019 R3.1 (from 2019-08-09)
4.    Version 2019 R4.1 (Latest version)

Please advise us which version is best fit for .Net Framework 4.8 and SHA 256.
by (144k points)
Version 2019 R4.1 (Latest version) is the bet fit for this platform.
by (280 points)
Hi Lukas,

I am getting the below exception while connecting to SFTP Server,

Rebex.Net.SftpException: 'Negotiation failed. The client and the server have no common host key algorithm. Server supports 'ssh-dss' which is not enabled at the client.'

Inner Exception
SshException: The client and the server have no common host key algorithm.


Version:
Rebex.Common        - 5.0.7290.0
Rebex.Networking    - 5.0.7290.0
Rebex.Sftp                    - 5.0.7290.0

Code:
 var ftp = new Sftp();

ftp.Settings.SshParameters.SetKeyExchangeAlgorithms(
                    "diffie-hellman-group-exchange-sha256",
                    "diffie-hellman-group16-sha512",
                    "diffie-hellman-group15-sha512",
                    "diffie-hellman-group14-sha256",
                    "ecdh-sha2-nistp256",
                    "ecdh-sha2-nistp384",
                    "ecdh-sha2-nistp521",
                    "curve25519-sha256@libssh.org");

            ftp.Settings.SshParameters.SetHostKeyAlgorithms(
                "ssh-rsa-sha256@ssh.com",
                "rsa-sha2-256",
                "rsa-sha2-512",
                "x509v3-sign-rsa-sha256@ssh.com",
                "ecdsa-sha2-nistp256",
                "ecdsa-sha2-nistp384",
                "ecdsa-sha2-nistp521",
                "ssh-ed25519");

            ftp.Settings.SshParameters.SetMacAlgorithms(
                "hmac-sha2-256-etm@openssh.com",
                "hmac-sha2-256",
                "hmac-sha2-512-etm@openssh.com",
                "hmac-sha2-512");


            ftp.Connect("myserver");
            ftp.Login("username", "password");
            ftp.ChangeDirectory("ftpserver");


Please let us know if I missed something.
by (144k points)
This looks like the server you are connecting to only supports host key ciphers based on SHA-1, such as "ssh-dss". Because you disabled all non-SHA-2 ciphers, you are no longer able to connect to this server.
by (280 points)
Hi Lukas,


If we used below code to  connect the sftp server.

var ftp = new Sftp();

ftp.Settings.SshParameters.SetKeyExchangeAlgorithms(
                    "diffie-hellman-group-exchange-sha256",
                    "diffie-hellman-group14-sha256"
                    );

ftp.Connect(hostName);
ftp.Login(username, privateKey);
ftp.ChangeDirectory("directoryName");

Please confirm the which cryptographic hash function you are using if we connect with the above code?
by (144k points)
If you connect with the code above, only SHA-256 will be used for SSH key exchange.

However, SHA-1 could still be used for server authentication (use SetHostKeyAlgorithm method to configure that) and for message authentication (use SetMacAlgorithms method to configure that).
by (280 points)
Lukkas, thank you very much for your support :)
...