3

In version 1 of the SSH protocol, it was possible to set the ephemeral session key size with the ServerKeyBits setting in sshd_config. Is there a way to do this for version 2 of the ssh protocol?

In the SSH protocol there are three encryption keys used:

  1. The server key
  2. The (intermediary) ephemeral session key
  3. The final symmetric cipher key

The intermediary ephemeral session key is an asymmetric cipher key created only for that session. It is created so that when the final symmetric key is passed, it doesn't have to be encrypted with the server key. This is so that if the server key is ever compromised, you can't use it to recover the end symmetric cipher key from previously "recorded" sessions. This is forward secrecy.

The size of the server key is set by the user when the user creates it. The size of the end symmetric cipher is preset by RFC and is inherent in the symmetric cipher that is chosen. The intermediary key, the ephemeral session key, I don't know how to set the size of that key. In version 1 of she SSH protocol you could set it with the ServerKeyBits setting. What is the way to set this in version 2 of the protocol?

It appears that the client specifies the minimum, preferred, and maximum modulus size when diffie-hellman-group-exchange-sha256 is used as the key exchange method. Does this mean removing smaller bit sizes from the server moduli file (as recommended here) will actually prevent small ephemeral key sizes from being used if the client asks for it, or will the server simply used one of its built-in fixed moduli if a broken client only wants a really small one?

Kurt Fitzner
  • 280
  • 1
  • 9

1 Answers1

2

A lot of security improvements were made in the SSH 2 protocol compared to protocol version 1 and I imagine removing that option was one of those.

As far as I can divine the session key size is somewhat implicitly imposed by the server in the selection of the encryption algorithms offered with the Ciphers directive. The actual session key size will eventually be whatever actual cipher then gets negotiated with between client and server.

The supported ciphers in OpenSSH are:

               3des-cbc
               aes128-cbc
               aes192-cbc
               aes256-cbc
               aes128-ctr
               aes192-ctr
               aes256-ctr
               aes128-gcm@openssh.com
               aes256-gcm@openssh.com
               arcfour
               arcfour128
               arcfour256
               blowfish-cbc
               cast128-cbc
               chacha20-poly1305@openssh.com

RFC 4253 defines the key sizes asociated with each cipher, although the only ones not immediately obvious from the cipher name are:

  • "3des-cbc" - will be deprecated but is still included for historical reasons - has effective key length of 112 bits
  • plain "arcfour" is RC4 and has problems with weak keys, and should be used with caution - keylength 128 bits (See this Q&A on the difference between "arcfour" and "arcfour128")
  • chacha20-poly1305@openssh.com - RFC 7539 has AFAIK also a 256 bit key
Community
  • 1
HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • 1
    OpenSSH since 7.6 has removed arcfour, blowfish and CAST. – Michael Hampton Dec 04 '18 at 15:56
  • The ephemeral session key refers to an intermediary asymmetric key, not the final symmetric cipher key. It's created by the protocol so that the symmetric key isn't passed by encrypting it with the server key. This is the principle of forward secrecy so that if the server key is compromised, you can't use it to decrypt all previous symmetric keys. It is that intermediary ephemeral asymmetric key size I want to find out how to set. I will edit the question to clarify. – Kurt Fitzner Dec 04 '18 at 21:04
  • 1
    @KurtFitzner AFAIK you do not set this explicitly. It is determined by the chosen cipher. – Michael Hampton Dec 04 '18 at 21:52