Re: [OpenWrt-Devel] [PATCH] [package] dropbear: enable sha2-based hmac by default.
On Friday, October 03, 2014 01:55:29 PM Weedy wrote: Based off failed ciphers/macs no matching cipher found: client rijndael-...@lysator.liu.se server aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc no matching mac found: client hmac-ripemd160-...@openssh.com server hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5 for cipher in 3des-cbc 3des-ctr aes128-cbc aes256-cbc aes128-ctr aes256-ctr; do for mac in hmac-md5 hmac-sha1 hmac-sha2-256 hmac-sha2-512; do echo ; echo cipher: $cipher; echo mac: $mac; for bah in 1 2 3; do dd if=/dev/zero bs=1M count=25 | ssh -c $cipher -m $mac -o Compression no r...@openwrt.lan 'time cat - /dev/null'; echo ; sleep 2; done; done; done OpenSSH_6.6.1 connecting to TP-Link 4300, time to transfer 26MiB of junk to null. Best of three, my router is in use and not idle. 3des-cbc +-+--+--+--+--+ |time\hmac|md5 | sha1 | sha256 | sha512 | +-+--+--+--+--+ | real| 0m27.65s | 0m27.98s | 0m29.47s | 0m31.93s | | user| 0m 0.05s | 0m 0.04s | 0m 0.02s | 0m 0.04s | | sys | 0m 0.25s | 0m 0.22s | 0m 0.24s | 0m 0.22s | +-+--+--+--+--+ aes128-cbc +-+--+--+--+--+ |time\hmac|md5 | sha1 | sha256 | sha512 | +-+--+--+--+--+ | real| 0m12.07s | 0m12.62s | 0m13.61s | 0m16.05s | | user| 0m 0.02s | 0m 0.03s | 0m 0.00s | 0m 0.02s | | sys | 0m 0.27s | 0m 0.23s | 0m 0.21s | 0m 0.22s | +-+--+--+--+--+ aes256-cbc +-+--+--+--+--+ |time\hmac|md5 | sha1 | sha256 | sha512 | +-+--+--+--+--+ | real| 0m13.32s | 0m13.61s | 0m14.97s | 0m17.71s | | user| 0m 0.02s | 0m 0.03s | 0m 0.03s | 0m 0.03s | | sys | 0m 0.27s | 0m 0.23s | 0m 0.22s | 0m 0.28s | +-+--+--+--+--+ aes128-ctr +-+--+--+--+--+ |time\hmac|md5 | sha1 | sha256 | sha512 | +-+--+--+--+--+ | real| 0m12.64s | 0m12.80s | 0m13.74s | 0m16.19s | | user| 0m 0.04s | 0m 0.02s | 0m 0.02s | 0m 0.01s | | sys | 0m 0.18s | 0m 0.24s | 0m 0.17s | 0m 0.23s | +-+--+--+--+--+ aes256-ctr +-+--+--+--+--+ |time\hmac|md5 | sha1 | sha256 | sha512 | +-+--+--+--+--+ | real| 0m13.40s | 0m13.84s | 0m15.20s | 0m18.11s | | user| 0m 0.01s | 0m 0.03s | 0m 0.02s | 0m 0.00s | | sys | 0m 0.17s | 0m 0.16s | 0m 0.18s | 0m 0.24s | +-+--+--+--+--+ We should dump 3des-* and pick up arcfour* Thanks for performing cipher speed test in addition with hmac test. I realize that there is no need to enable stronger hash function for hmac. The md5 collision attacks and 'predicted' sha1 collision attacks are just affecting `pure` digest function. There is no known attack affecting hmac-md5 or hmac-sha1, because hmac is not as simple as digest. It's an advanced operation to verify deciphered message, operating blocks by blocks repeatedly. It's sure hard to perform collision attack on hmac, because the underlying layer is already encrypted, for example by aes128-ctr cipher. Currently, there is no formal advice to enable stronger digest for hmac. The well known OpenSSH is still using hmac-md5 as default message authentication algorithm, although it has added support for sha2-based hmac since 5.9. To be specified, OpenSSH is using hmac-md5-...@openssh.com - a special extension added by OpenSSH to add more security to hmac-md5 - if the server supports it. IETF says that hmac-md5 isn't broken, although the md5 hash function is considered weak to collision attacks. https://www.ietf.org/mail-archive/web/cfrg/current/msg01202.html There is no need to rush. I know that when the time comes, OpenWrt developers will enable hmac-sha2 by default. Maybe years from now, or when the dropbear upstream enables hmac-sha2 by default. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] [package] dropbear: enable sha2-based hmac by default.
On 27/09/14 01:29 PM, Alive wrote: On 27/09/2014 23:34, Weedy wrote: I got bit by this last week when I audited my ssh config and dropped all weak/slow ciphers. Couldn't log into my routers and had to add md5 ciphers and macs back. You must rebuild dropbear package cleanly to test this patch Save the patch as file located on package/network/services/dropbear/patches/600-enable-hmac-sha2.patch, relative to OpenWrt source directory. The patch is available here http://patchwork.openwrt.org/patch/6322/ Do make clean to clean up the package, and then make to build the firmware. Flash the resulting firmware and test connecting to dropbear ssh daemon. To test using hmac-sha2-256, run this command ssh -o MACs=hmac-sha2-256 root@OpenWrt To test using hmac-sha2-512, run this command ssh -o MACs=hmac-sha2-512 root@OpenWrt For your information, there is almost no difference between message authentication algorithm in time needed to establish ssh connection. I perform the test on my TL-MR3220 (AR9330, mips, dropbear 2014.65, r42321). The identity file is cached via ssh-agent. The test commands are bellow. time ssh -o MACs=hmac-md5 OpenWrt /bin/true time ssh -o MACs=hmac-sha1 OpenWrt /bin/true time ssh -o MACs=hmac-sha2-256 OpenWrt /bin/true time ssh -o MACs=hmac-sha2-512 OpenWrt /bin/true Here are time needed to establish ssh connection +-+--+--+--+--+ |time\hmac|md5 | sha1 | sha256 | sha512 | +-+--+--+--+--+ | real| 0m3.526s | 0m3.631s | 0m3.519s | 0m3.543s | | user| 0m0.015s | 0m0.061s | 0m0.015s | 0m0.031s | | sys | 0m0.077s | 0m0.046s | 0m0.093s | 0m0.092s | +-+--+--+--+--+ Putty and Bitvise will try connecting using hmac-sha2-256 when available, whereas OpenSSH will use hmac-md5 by default. I hope this information will be a good reason for enabling sha2-based hmac on dropbear by default. Based off failed ciphers/macs no matching cipher found: client rijndael-...@lysator.liu.se server aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc no matching mac found: client hmac-ripemd160-...@openssh.com server hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5 for cipher in 3des-cbc 3des-ctr aes128-cbc aes256-cbc aes128-ctr aes256-ctr; do for mac in hmac-md5 hmac-sha1 hmac-sha2-256 hmac-sha2-512; do echo ; echo cipher: $cipher; echo mac: $mac; for bah in 1 2 3; do dd if=/dev/zero bs=1M count=25 | ssh -c $cipher -m $mac -o Compression no r...@openwrt.lan 'time cat - /dev/null'; echo ; sleep 2; done; done; done OpenSSH_6.6.1 connecting to TP-Link 4300, time to transfer 26MiB of junk to null. Best of three, my router is in use and not idle. 3des-cbc +-+--+--+--+--+ |time\hmac|md5 | sha1 | sha256 | sha512 | +-+--+--+--+--+ | real| 0m27.65s | 0m27.98s | 0m29.47s | 0m31.93s | | user| 0m 0.05s | 0m 0.04s | 0m 0.02s | 0m 0.04s | | sys | 0m 0.25s | 0m 0.22s | 0m 0.24s | 0m 0.22s | +-+--+--+--+--+ aes128-cbc +-+--+--+--+--+ |time\hmac|md5 | sha1 | sha256 | sha512 | +-+--+--+--+--+ | real| 0m12.07s | 0m12.62s | 0m13.61s | 0m16.05s | | user| 0m 0.02s | 0m 0.03s | 0m 0.00s | 0m 0.02s | | sys | 0m 0.27s | 0m 0.23s | 0m 0.21s | 0m 0.22s | +-+--+--+--+--+ aes256-cbc +-+--+--+--+--+ |time\hmac|md5 | sha1 | sha256 | sha512 | +-+--+--+--+--+ | real| 0m13.32s | 0m13.61s | 0m14.97s | 0m17.71s | | user| 0m 0.02s | 0m 0.03s | 0m 0.03s | 0m 0.03s | | sys | 0m 0.27s | 0m 0.23s | 0m 0.22s | 0m 0.28s | +-+--+--+--+--+ aes128-ctr +-+--+--+--+--+ |time\hmac|md5 | sha1 | sha256 | sha512 | +-+--+--+--+--+ | real| 0m12.64s | 0m12.80s | 0m13.74s | 0m16.19s | | user| 0m 0.04s | 0m 0.02s | 0m 0.02s | 0m 0.01s | | sys | 0m 0.18s | 0m 0.24s | 0m 0.17s | 0m 0.23s | +-+--+--+--+--+ aes256-ctr +-+--+--+--+--+ |time\hmac|md5 | sha1 | sha256 | sha512 | +-+--+--+--+--+ | real| 0m13.40s | 0m13.84s | 0m15.20s | 0m18.11s | | user| 0m 0.01s | 0m 0.03s | 0m 0.02s | 0m 0.00s | | sys | 0m 0.17s | 0m 0.16s | 0m 0.18s | 0m 0.24s | +-+--+--+--+--+ We should dump 3des-* and pick up arcfour* ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org
Re: [OpenWrt-Devel] [PATCH] [package] dropbear: enable sha2-based hmac by default.
I got bit by this last week when I audited my ssh config and dropped all weak/slow ciphers. Couldn't log into my routers and had to add md5 ciphers and macs back. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] [package] dropbear: enable sha2-based hmac by default.
On 27/09/2014 23:34, Weedy wrote: I got bit by this last week when I audited my ssh config and dropped all weak/slow ciphers. Couldn't log into my routers and had to add md5 ciphers and macs back. You must rebuild dropbear package cleanly to test this patch Save the patch as file located on package/network/services/dropbear/patches/600-enable-hmac-sha2.patch, relative to OpenWrt source directory. The patch is available here http://patchwork.openwrt.org/patch/6322/ Do make clean to clean up the package, and then make to build the firmware. Flash the resulting firmware and test connecting to dropbear ssh daemon. To test using hmac-sha2-256, run this command ssh -o MACs=hmac-sha2-256 root@OpenWrt To test using hmac-sha2-512, run this command ssh -o MACs=hmac-sha2-512 root@OpenWrt For your information, there is almost no difference between message authentication algorithm in time needed to establish ssh connection. I perform the test on my TL-MR3220 (AR9330, mips, dropbear 2014.65, r42321). The identity file is cached via ssh-agent. The test commands are bellow. time ssh -o MACs=hmac-md5 OpenWrt /bin/true time ssh -o MACs=hmac-sha1 OpenWrt /bin/true time ssh -o MACs=hmac-sha2-256 OpenWrt /bin/true time ssh -o MACs=hmac-sha2-512 OpenWrt /bin/true Here are time needed to establish ssh connection +-+--+--+--+--+ |time\hmac|md5 | sha1 | sha256 | sha512 | +-+--+--+--+--+ | real| 0m3.526s | 0m3.631s | 0m3.519s | 0m3.543s | | user| 0m0.015s | 0m0.061s | 0m0.015s | 0m0.031s | | sys | 0m0.077s | 0m0.046s | 0m0.093s | 0m0.092s | +-+--+--+--+--+ Putty and Bitvise will try connecting using hmac-sha2-256 when available, whereas OpenSSH will use hmac-md5 by default. I hope this information will be a good reason for enabling sha2-based hmac on dropbear by default. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] [package] dropbear: enable sha2-based hmac by default.
On 26/09/2014 10:11, Catalin Patulea wrote: What's the motivation for this change? On Thu, Sep 25, 2014 at 11:43 AM, Alive alive4e...@live.com wrote: X-Patchwork-Id: 6322 Message-Id: blu437-smtp18d6698761b98124aca899e4...@phx.gbl Is there any chance for my proposed patch to be committed? http://patchwork.openwrt.org/patch/6322/ Here is a brief comparison about binary and package size increase. Tested on AR9330, mips, TL MR3220v2 Before applying sha2-hmac patch root@OpenWrt:~# du -sh $(which dropbear) 161.5K /usr/sbin/dropbear After applying sha2-hmac patch root@OpenWrt:~# du -sh $(which dropbear) 165.5K /usr/sbin/dropbear It's about 4K binary size increase. debug information ssh root@OpenWrt -o MACs=hmac-sha2-512,hmac-sha2-256 -v ... debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server-client aes128-ctr hmac-sha2-512 none debug1: kex: client-server aes128-ctr hmac-sha2-512 none ... Package size compared to downloaded trunk 84829 Sep 25 02:43 dropbear_2014.65-2_ar71xx.ipk 81896 Sep 25 02:13 dropbear_2014.65-2_ar71xx.ipk It's about 3K package size increase. As SHA1 signature hash is about to be obsolete on certificates, it would be better to prepare for next generation hash algorithms. Here are some references. http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know https://www.digicert.com/sha-2-ssl-certificates.htm While CA is encouraging users to upgrade to SHA2-based certificates, it'd be better to assume that SHA1 HMAC will also be obsolete. I know unix philosophy Don't fix what ain't broken. I think it's better to provide safety measure to prevent disaster instead of waiting the disaster to come and fix it later. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] [package] dropbear: enable sha2-based hmac by default.
X-Patchwork-Id: 6322 Message-Id: blu437-smtp18d6698761b98124aca899e4...@phx.gbl Is there any chance for my proposed patch to be committed? http://patchwork.openwrt.org/patch/6322/ Here is a brief comparison about binary and package size increase. Tested on AR9330, mips, TL MR3220v2 Before applying sha2-hmac patch root@OpenWrt:~# du -sh $(which dropbear) 161.5K /usr/sbin/dropbear After applying sha2-hmac patch root@OpenWrt:~# du -sh $(which dropbear) 165.5K /usr/sbin/dropbear It's about 4K binary size increase. debug information ssh root@OpenWrt -o MACs=hmac-sha2-512,hmac-sha2-256 -v ... debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server-client aes128-ctr hmac-sha2-512 none debug1: kex: client-server aes128-ctr hmac-sha2-512 none ... Package size compared to downloaded trunk 84829 Sep 25 02:43 dropbear_2014.65-2_ar71xx.ipk 81896 Sep 25 02:13 dropbear_2014.65-2_ar71xx.ipk It's about 3K package size increase. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] [package] dropbear: enable sha2-based hmac by default.
What's the motivation for this change? On Thu, Sep 25, 2014 at 11:43 AM, Alive alive4e...@live.com wrote: X-Patchwork-Id: 6322 Message-Id: blu437-smtp18d6698761b98124aca899e4...@phx.gbl Is there any chance for my proposed patch to be committed? http://patchwork.openwrt.org/patch/6322/ Here is a brief comparison about binary and package size increase. Tested on AR9330, mips, TL MR3220v2 Before applying sha2-hmac patch root@OpenWrt:~# du -sh $(which dropbear) 161.5K /usr/sbin/dropbear After applying sha2-hmac patch root@OpenWrt:~# du -sh $(which dropbear) 165.5K /usr/sbin/dropbear It's about 4K binary size increase. debug information ssh root@OpenWrt -o MACs=hmac-sha2-512,hmac-sha2-256 -v ... debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server-client aes128-ctr hmac-sha2-512 none debug1: kex: client-server aes128-ctr hmac-sha2-512 none ... Package size compared to downloaded trunk 84829 Sep 25 02:43 dropbear_2014.65-2_ar71xx.ipk 81896 Sep 25 02:13 dropbear_2014.65-2_ar71xx.ipk It's about 3K package size increase. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH][package] dropbear: enable sha2-based hmac by default.
Whats the size increase due to that? ~ Jow Here is a brief comparison about binary and package size Tested on AR9330, mips, TL MR3220v2 Before applying sha2-hmac patch root@OpenWrt:~# du -sh $(which dropbear) 161.5K /usr/sbin/dropbear After applying sha2-hmac patch root@OpenWrt:~# du -sh $(which dropbear) 165.5K /usr/sbin/dropbear It's about 4K binary size increase. debug information ssh root@OpenWrt -o MACs=hmac-sha2-512,hmac-sha2-256 -v ... debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server-client aes128-ctr hmac-sha2-512 none debug1: kex: client-server aes128-ctr hmac-sha2-512 none ... Package size compared to downloaded trunk 84829 Sep 25 02:43 dropbear_2014.65-2_ar71xx.ipk 81896 Sep 25 02:13 dropbear_2014.65-2_ar71xx.ipk It's about 3K package size increase. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH][package] dropbear: enable sha2-based hmac by default.
Dropbear should support sha2-based message authentication. This patch will enable hmac-sha2-256 and hmac-sha2-512. --- a/options.h +++ b/options.h @@ -128,8 +128,8 @@ much traffic. */ * which are not the standard form. */ #define DROPBEAR_SHA1_HMAC /*#define DROPBEAR_SHA1_96_HMAC*/ -/*#define DROPBEAR_SHA2_256_HMAC*/ -/*#define DROPBEAR_SHA2_512_HMAC*/ +#define DROPBEAR_SHA2_256_HMAC +#define DROPBEAR_SHA2_512_HMAC #define DROPBEAR_MD5_HMAC /* You can also disable integrity. Don't bother disabling this if you're ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH][package] dropbear: enable sha2-based hmac by default.
Hi. Dropbear should support sha2-based message authentication. This patch will enable hmac-sha2-256 and hmac-sha2-512. Whats the size increase due to that? ~ Jow --- a/options.h +++ b/options.h @@ -128,8 +128,8 @@ much traffic. */ * which are not the standard form. */ #define DROPBEAR_SHA1_HMAC /*#define DROPBEAR_SHA1_96_HMAC*/ -/*#define DROPBEAR_SHA2_256_HMAC*/ -/*#define DROPBEAR_SHA2_512_HMAC*/ +#define DROPBEAR_SHA2_256_HMAC +#define DROPBEAR_SHA2_512_HMAC #define DROPBEAR_MD5_HMAC /* You can also disable integrity. Don't bother disabling this if you're ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel