12

Is there a site, which provides a list of weak cipher suites for (Open-)SSH? I know for example that arcfour is not recommended, but there is a whole list of other cipher suites offered, where I am not quite sure.

Anders
  • 64,406
  • 24
  • 178
  • 215
skipper
  • 121
  • 1
  • 1
  • 3

2 Answers2

14

On most systems, OpenSSH supports AES, ChaCha20, Blowfish, CAST128, IDEA, RC4, and 3DES. I am assuming you are talking about the symmetric ciphers used. If you are also wondering about the HMAC and key exchange, I can edit my answer to explain which of those are strong or weak as well.

The good

AES and ChaCha20 are the best ciphers currently supported. AES is the industry standard, and all key sizes (128, 192, and 256) are currently supported with a variety of modes (CTR, CBC, and GCM). ChaCha20 is a more modern cipher and is designed with a very high security margin. It is very fast. While AES is secure, the CBC mode leads to some potential vulnerabilities, so it is no longer recommended. CTR mode, or better GCM, would be preferred. ChaCha20 on the other hand is a stream cipher, so it does not use a block mode of operation and is therefore not able to use CBC insecurely. ChaCha20 additionally uses Poly1305 for authentication, making an HMAC unnecessary. Unlike an HMAC, Poly1305 does not rely on the assumption of security of any hashing algorithm. As long as the underlying cipher is secure, the authentication will be unbroken.

The bad

Blowfish, IDEA, and CAST128 are not bad ciphers per se, but they have a 64-bit block size. This means the key must be reseeded periodically. 3DES additionally, due to a meet-in-the-middle attack, has its effective security reduced from 168 bits to 112 bits. This is not horrible, but it is not ideal. The issue with 64-bit block sizes is described quite well on the Sweet32 website, describing the attacks made possible. The gist of it is that encrypting a large amount of data with a single key can leak information about the plaintext. When 32 GiB of data are encrypted, things get really bad. It's often recommended to change keys after every 4 GiB. While small block sizes are not great, OpenSSH does automatically reseed these ciphers more often than otherwise to attempt to mitigate this flaw. The ciphers themselves are not particularly bad. These ciphers, while old, are not subject to any known attacks that allow a complete break of the cipher. There are simply better alternatives out there.

The ugly

Arcfour, or RC4, is as you stated not particularly secure. Severe statistical biases have been known to exist for a while, and new attacks keep being discovered. While OpenSSH does drop the first 1536 problematic bytes of the cipher, it is still subject to a variety of other attacks. Avoid using RC4.

Overall, you should be using ChaCha20 or AES and avoiding RC4. Use 3DES only when necessary for backwards compatibility. The default OpenSSH settings on any modern installation should be fine in virtually all circumstances. You can't go wrong by using the defaults.

forest
  • 64,616
  • 20
  • 206
  • 257
  • 3
    One thing worth adding to this excellent answer is that OpenSSH's default settings for recent versions are generally a good choice. Most people shouldn't be double guessing these. See [the `sshd_config(5)` man page](https://man.openbsd.org/sshd_config). – Luis Casillas Feb 27 '18 at 00:29
4

To add to forest's answer, there are additional cryptographic functions other than the symmetric cipher such as the hash (or HMAC), public-private key cipher and more.

NIST 140-2 covers all of this. https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402annexa.pdf

MikeP
  • 1,159
  • 7
  • 12