000033128 - Supported SSH ciphers of an RSA DPM (Key Manager) Appliance 3.5.2.4.x

Document created by RSA Customer Support Employee on Jul 8, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033128
Applies ToRSA Product Set: DPM
RSA Product/Service Type: Key Manager Appliance
RSA Version/Condition: 3.5.2.4.x
Issue3rd party SSH tools such as PuTTY or WinSCP will not connect to the DPM appliance once DPM Appliance hotfix 3.5.2.4.1 or higher has been applied.
CauseFrom NIST Special Publication 800-131A Revision 1
SHA-1 may only be used for digital signature generation where specifically allowed by NIST protocol - specific guidance. For all other applications, SHA-1 shall not be used for digital signature generation" 


SHA-1: Federal agencies should stop using SHA-1 for generating digital signatures, generating time stamps and for other applications that require collision resistance. Federal agencies may use SHA-1 for the following applications: verifying old digital signatures and time stamps, generating and verifying hash-based message authentication codes (HMACs), key derivation functions (KDFs), and random bit/number generation. Further guidance on the use of SHA-1 is provided in SP 800-131A.


The SSH protocol, as of today, supports 4 types of key exchange:

  • DSA
SSH connections employing the DSA key exchange algorithm are not supported on a DPM appliance due to known vulnerabilities.

  • RSA 
SSH connections employing the RSA key exchange algorithm are not supported on a 3.5.2.4.1 or later DPM appliance because this key exchange algorithm requires the generation of a digital signature that (by default) employs a SHA-1 message digest.

  • ECDSA
SSH connections employing the ECDSA key exchange algorithm are supported on a DPM appliance. The Elliptic Curve Digital Signature Algorithm (ECDSA) was introduced in OpenSSH 5.7. It is not supported in earlier OpenSSH clients.

  • Ed25519 
SSH connections employing the Ed25519 key exchange algorithm are supported on a DPM appliance. The Edwards-curve Digital Signature Algorithm (Ed25519) was introduced in OpenSSH 6.5. It is not supported in earlier OpenSSH clients.
Resolution
  • If you use PuTTY to SSH into an appliance you must download the beta daily build of PuTTY
  • If you use WinSCP, you must download the beta build of WinSCP
  • If you use any other 3rd party, inquire with them when they will release a version of their product that supports ECDSA or Ed25519

Attachments

    Outcomes