Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Terrapin attack and strict KEX #1285

Closed
DavisNT opened this issue Jan 1, 2024 · 3 comments · Fixed by #1366
Closed

Terrapin attack and strict KEX #1285

DavisNT opened this issue Jan 1, 2024 · 3 comments · Fixed by #1366

Comments

@DavisNT
Copy link
Contributor

DavisNT commented Jan 1, 2024

There is a recently published attack on SSH named Terrapin.

Is SSH.NET affected by Terrapin (does SSH.NET support any of the vulnerable encryption modes; does SSH.NET support the strict key exchange countermeasure)?

@Rob-Hague
Copy link
Collaborator

The library does not support ChaCha20-Poly1305 nor Encrypt-then-MAC (for better or worse), and does not support SSH extension negotiation (RFC8308)

@edwinvandeburgt
Copy link

Will Encrypt-then-MAC be supported (and when)?

Because one of the major cloud provider's SFTP-service isn't working anymore with the proposed security profile:

Amazon AWS FTPS policy

Profile 2022-03 still support the "normal" hashfunctions:
"SshMacs": [ "[email protected]", "[email protected]", "hmac-sha2-512", "hmac-sha2-256" ],

With profile 2023-05, only the EtM versions are supported:
"SshMacs": [ "[email protected]", "[email protected]" ],

Do you have a policy regarding attempting to remain compatibility of the library with the major Cloud providers Microsoft, Amazon and Google?

@DavisNT
Copy link
Contributor Author

DavisNT commented Apr 28, 2024

@scott-xu, @Rob-Hague Thank you very much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants