wolfSSH Coming Attractions: Algorithm Updates

It’s been a while since wolfSSH had any new algorithms. I think it is time we had more. wolfCrypt supports a few algorithms wolfSSH doesn’t take advantage of.

For encryption and message authentication, wolfCrypt has Poly1305 and CHACHA20 available. There is not a published RFC for using “poly-chacha” with the SSH protocol, but OpenSSH has its own implementation of this algorithm. wolfSSH shall be able to interoperate with it.

To sign your user authentication or prove the identity of your server, you will be able to use SHA2-256 and SHA2-512 hashing with your RSA keys. We shall add the algorithms rsa-sha2-256 and rsa-sha2-512 described in RFC 8332.

RFC 8709 describes how to use Ed25519 and Ed448 public key signature algorithms with the SSH protocol. wolfCrypt supports these algorithms. wolfSSH should and will as well.

In the area of key exchange, we are bringing wolfSSH into the present by adding KEX algorithms using SHA2-256 and SHA2-512 per RFC 8268. Oakley group 14 is a set of 2048-bit DH group parameters, and can be used with SHA2-256 hashing. The RFC describes how to use larger groups using SHA2-512.

The key exchange algorithms x25519 and x448 will be available along with a taste of the future using a key exchange hybrid with Kyber, the post-quantum key exchange standard.

What is getting left behind?

Network security is an ever evolving landscape. Things change constantly. While we develop new, faster, better algorithms, some of the existing algorithms get broken or brittle and need to be let go.

The digest algorithm SHA1 has been sunset. Since the SSH protocol pairs SHA1 with other algorithms, they are going to be removed as well. Say good-bye to ssh-rsa signing of the server’s KEX public key message and allowing users to authenticate using SHA1 signatures.

SSH uses ECDHE and DHE for key exchange. While ECDHE uses SHA2-256 or better, DHE uses SHA1 with Oakley groups 1 and 14, and Oakley group 1 is only 1024-bit. In this day and age, 1024-bits isn’t good enough and SHA1 shouldn’t be used anymore. The algorithms diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1 will be removed.

wolfSSH is lovingly crafted by wolfSSL Inc in the Pacific Northwest. If you have any questions or comments please contact us at facts@wolfssl.com