Bug #8484
Disable ECDSA on *.lizard's sshd
100%
Description
Depending on whether we judge EC as available currently as safe enough, or not.
Subtasks
History
#1 Updated by intrigeri 2014-12-30 10:45:51
- related to #8285 added
#2 Updated by bertagaz 2014-12-30 15:57:06
This question could lead to: is ECDSA worst than the current RSA we use widely? I don’t have an answer to that yet.
Some facts to take into account in this discussion:
According to their ssh_config(5), by default:
Wheezy’s sshd uses (by order of preference):
ecdsa-sha2-nistp256-cert-v01@openssh.com,
ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
ssh-rsa,ssh-dsswhile Jessie’s sshd uses:
ecdsa-sha2-nistp256-cert-v01@openssh.com,
ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
ssh-ed25519,ssh-rsa,ssh-dssSo in Jessie Curve25519 is also available, there is a ed25519 host key for sshd. It’s not the first choice probably because of client compatibility.
On this, http://safecurves.cr.yp.to/ is something to read, specially the curve algo comparison table.
From what I understood, ECDSA is a NIST/NSA standard, with some questionnable choices for efficiency, while Curve25519 has better security and is faster, at least according to what their authors (Djb and al.) claim
Another question which could be raised from all that: should we tighten our HostKeyAlgorithms on Lizard, to for example drop ssh-dss, and maybe ecdsa?
#3 Updated by intrigeri 2014-12-31 11:35:25
> This question could lead to: is ECDSA worst than the current RSA we use widely? I don’t have an answer to that yet.
RSA has seen a lot of review and the way it works is well understood, while ECDSA is based on untrustworthy NIST curves, so my answer is “yes, and then ECDSA should be disabled”. But IMO ed25519 should be enabled. See #8285.
> Another question which could be raised from all that: should we tighten our HostKeyAlgorithms on Lizard, to for example drop ssh-dss,
Unsure => please file a dedicated ticket about it.
> and maybe ecdsa?
That’s exactly what this very ticket is about, and my answer is “yes” :)
#4 Updated by bertagaz 2014-12-31 11:51:27
intrigeri wrote:
> > This question could lead to: is ECDSA worst than the current RSA we use widely? I don’t have an answer to that yet.
>
> RSA has seen a lot of review and the way it works is well understood, while ECDSA is based on untrustworthy NIST curves, so my answer is “yes, and then ECDSA should be disabled”. But IMO ed25519 should be enabled. See #8285.
Thx for the pointer. Have the same opinion.
> > Another question which could be raised from all that: should we tighten our HostKeyAlgorithms on Lizard, to for example drop ssh-dss,
>
> Unsure => please file a dedicated ticket about it.
I’ll do so when I’ll have some readings about it, and see if it is really relevant. Main point was about ecdsa.
> > and maybe ecdsa?
>
> That’s exactly what this very ticket is about, and my answer is “yes” :)
So we quickly reached a consensus now that I too agree.
#5 Updated by intrigeri 2014-12-31 11:55:25
- Subject changed from Disable ECDSA on *.lizard's sshd or publish these keys in Monkeysphere to Disable ECDSA on *.lizard's sshd
#6 Updated by intrigeri 2015-01-06 10:58:04
- Status changed from Confirmed to Resolved
- % Done changed from 0 to 100