|Applies To||RSA Product Set: DPM|
RSA Product/Service Type: Key Manager Appliance
RSA Version/Condition: 220.127.116.11.x
|Issue||3rd party SSH tools such as PuTTY or WinSCP will not connect to the DPM appliance once DPM Appliance hotfix 18.104.22.168.1 or higher has been applied.|
|Cause||From NIST Special Publication 800-131A Revision 1|
SHA-1 may only be used for digital signature generation where specifically allowed by NIST protocol - specific guidance. For all other applications, SHA-1 shall not be used for digital signature generation"
SHA-1: Federal agencies should stop using SHA-1 for generating digital signatures, generating time stamps and for other applications that require collision resistance. Federal agencies may use SHA-1 for the following applications: verifying old digital signatures and time stamps, generating and verifying hash-based message authentication codes (HMACs), key derivation functions (KDFs), and random bit/number generation. Further guidance on the use of SHA-1 is provided in SP 800-131A.
The SSH protocol, as of today, supports 4 types of key exchange:
SSH connections employing the DSA key exchange algorithm are not supported on a DPM appliance due to known vulnerabilities.
SSH connections employing the RSA key exchange algorithm are not supported on a 22.214.171.124.1 or later DPM appliance because this key exchange algorithm requires the generation of a digital signature that (by default) employs a SHA-1 message digest.
SSH connections employing the ECDSA key exchange algorithm are supported on a DPM appliance. The Elliptic Curve Digital Signature Algorithm (ECDSA) was introduced in OpenSSH 5.7. It is not supported in earlier OpenSSH clients.
SSH connections employing the Ed25519 key exchange algorithm are supported on a DPM appliance. The Edwards-curve Digital Signature Algorithm (Ed25519) was introduced in OpenSSH 6.5. It is not supported in earlier OpenSSH clients.