Knowledge Base

  1. Casa
  2. Miscellaneous
  3. SSH: Security status of algorithms
Creato il
Modificato il

Articolo 2725

SSH: Security status of algorithms

Public Key Algorithms

ssh-rsa, x509v3-ssh-rsa

Security Status: The SHA1 signature algorithm is considered weak and collisions are now practical: The first collision for full SHA-1.
Status in SmartFTP: Offered but refuses all keys with key length smaller than 1024 bits.

rsa-sha2-256, rsa-sha2-512, x509v3-rsa2048-sha256

Security Status: Secure.
Status in SmartFTP: Offered but refuses all keys with key length smaller than 1024 bits.


Security Status: Insecure because of the inherit weakness (key length is limited to 1024 bits).
Status in SmartFTP: Only offered for compatibility with legacy servers. It will be removed in the near future.

ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521

Security Status: Secure with some concerns.
Status in SmartFTP: Offered.


Security Status: Secure.
Status in SmartFTP: Offered and the preferred algorithm.

Key Exchange Algorithms

Post-quantum key exchange method.

Status: Secure
Status in SmartFTP: Offered and the preferred algorithm.


Security Status: Secure.
Status in SmartFTP: Offered.

ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521

Security Status: Secure with some concerns.
Status in SmartFTP: Offered.


1024-bit Oakley Group 2.

Known Vulnerability

20. May 2015
Logjam attack

Paper: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

4. October 2016
Paper: A kilobit hidden SNFS discrete logarithm computation

Disabled by default in OpenSSH 7.0.

Security Status: Insecure.
Status in SmartFTP: Not offered

diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1

Security Status: DH groups with a group size equal or greater than 2048-bit are secure. But the SHA1 signature algorithm is considered weak and collisions are now practical: The first collision for full SHA-1.
Status in SmartFTP: Only offered for compatibility with legacy servers. It will be removed in the near future.

diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha256

Security Status: DH groups with a group size equal or greater than 2048-bit are secure. 
Status in SmartFTP: Offered.


4096-bit Oakley Group 16.

Security Status: Secure
Status in SmartFTP: Offered.

Encryption Algorithms


Known Vulnerability

Sweet32: Sweet32: Birthday attacks on 64-bit block ciphers
Paper: On the Practical (In-)Security of 64-bit Block Ciphers

The attack is impractical for SSH2 because re-keying (when correctly implemented) must happen after every 1 GB of data transferred.

Security Status: Secure when re-keying is properly implemented. However discouraged and aes-ctr and aes-gcm are preferred.
Status in SmartFTP: Only offered for compatibility with legacy servers. It will be removed in the near future.

aes128-cbc, aes256-cbc

Known Vulnerability

24. November 2008
CERT Vulnerability Note VU#958563 - SSH CBC vulnerability

19. May 2009
The paper the CERT note was referring to, was published in Proceeding SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy:
Plaintext Recovery Attacks Against SSH

OpenSSH's answer and mitigation:
OpenSSH Security Advisory: cbc.adv

Status: Secure when correctly implemented (e.g. OpenSSH 5.2 and higher). However discouraged and aes-ctr and aes-gcm are preferred.
Status in SmartFTP: Offered for compatibility with legacy servers.

aes128-ctr, aes256-ctr

Security Status: Secure.
Status in SmartFTP: Offered,

Status: Secure.
Status in SmartFTP: Offered and the preferred algorithm.

Compression Algorithms


Security Status: Pre-authentication compression is suspect to multiple compression oracle attacks and offers an unnecessary attack surface. 

Status in SmartFTP: No longer offered. Post-authentication compression is still available with

Parole Chiave
ssh security

Articoli Correlati

What do you think about this topic? Send feedback!