HPE Community
Operating System - HP-UX
1824124 Members
4223 Online
109668 Solutions
New Discussion

3des-ctr

 
SOLVED
Go to solution
john guardian
Super Advisor

‎10-03-2011 09:48 AM

‎10-03-2011 09:48 AM

3des-ctr

Is 3des-ctr supported by the hp version of ssh(d).

 

I see 3des-cbc but not 3des-ctr.

 

Is this an oversight/omission or is it just not supported by hp?

 

Thx.

 

0 Kudos
Reply
1 REPLY 1
Matti_Kurkela
Honored Contributor

‎10-03-2011 11:46 PM - edited ‎10-04-2011 01:35 AM

‎10-03-2011 11:46 PM - edited ‎10-04-2011 01:35 AM

Solution

Re: 3des-ctr

3des-ctr is not specified as a supported encryption method in the SSH protocol standard RFC, so any SSH developer has little reason to support it.

 

Source:

http://tools.ietf.org/html/rfc4253#section-6.3

Quote:

   The following ciphers are currently defined:

      3des-cbc         REQUIRED          three-key 3DES in CBC mode
      blowfish-cbc     OPTIONAL          Blowfish in CBC mode
      twofish256-cbc   OPTIONAL          Twofish in CBC mode,
                                         with a 256-bit key
      twofish-cbc      OPTIONAL          alias for "twofish256-cbc"
                                         (this is being retained
                                         for historical reasons)
      twofish192-cbc   OPTIONAL          Twofish with a 192-bit key
      twofish128-cbc   OPTIONAL          Twofish with a 128-bit key
      aes256-cbc       OPTIONAL          AES in CBC mode,
                                         with a 256-bit key
      aes192-cbc       OPTIONAL          AES with a 192-bit key
      aes128-cbc       RECOMMENDED       AES with a 128-bit key
      serpent256-cbc   OPTIONAL          Serpent in CBC mode, with
                                         a 256-bit key
      serpent192-cbc   OPTIONAL          Serpent with a 192-bit key
      serpent128-cbc   OPTIONAL          Serpent with a 128-bit key
      arcfour          OPTIONAL          the ARCFOUR stream cipher
                                         with a 128-bit key
      idea-cbc         OPTIONAL          IDEA in CBC mode
      cast128-cbc      OPTIONAL          CAST-128 in CBC mode
      none             OPTIONAL          no encryption; NOT RECOMMENDED

 The RFC says other encryption methods may be added in the future, but I don't think it likely that any further DES-based methods will be added. The current understanding seems to be that AES is the preferred method now, as it seems to be better than DES in both security and efficiency.

 

Edit: a subsequent RFC does indeed add the 3des-ctr in the list of encryption methods, but as RECOMMENDED, not as REQUIRED:

http://www.ietf.org/rfc/rfc4344.txt

Apparently it is supported in the OpenSSH source code. However, the list of supported ciphers can be restricted at compile-time. For example, the current list of supported encryption methods on my Debian Linux workstation (according to the man pages) is:

 

aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour

I have no idea why HP has not included 3des-ctr. Perhaps there is a later recommendation against it in security circles?

MK
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.