[OpenWrt-Devel] [PATCH] [package] dropbear: enable sha2-based hmac by default.
Alive
alive4ever at live.com
Fri Sep 26 14:15:30 EDT 2014
On 26/09/2014 10:11, Catalin Patulea wrote:
> What's the motivation for this change?
>
> On Thu, Sep 25, 2014 at 11:43 AM, Alive <alive4ever at live.com> wrote:
>> X-Patchwork-Id: 6322
>> Message-Id: <BLU437-SMTP18D6698761B98124ACA899E4B00 at phx.gbl>
>>
>> Is there any chance for my proposed patch to be committed?
>> http://patchwork.openwrt.org/patch/6322/
>>
>> Here is a brief comparison about binary and package size increase.
>> Tested on AR9330, mips, TL MR3220v2
>>
>> Before applying sha2-hmac patch
>> root at OpenWrt:~# du -sh $(which dropbear)
>> 161.5K /usr/sbin/dropbear
>>
>> After applying sha2-hmac patch
>> root at OpenWrt:~# du -sh $(which dropbear)
>> 165.5K /usr/sbin/dropbear
>>
>> It's about 4K binary size increase.
>>
>> debug information
>> ssh root at OpenWrt -o MACs=hmac-sha2-512,hmac-sha2-256 -v
>> ...
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug1: kex: server->client aes128-ctr hmac-sha2-512 none
>> debug1: kex: client->server aes128-ctr hmac-sha2-512 none
>> ...
>>
>> Package size compared to downloaded trunk
>> 84829 Sep 25 02:43 dropbear_2014.65-2_ar71xx.ipk
>> 81896 Sep 25 02:13 dropbear_2014.65-2_ar71xx.ipk
>> It's about 3K package size increase.
As SHA1 signature hash is about to be obsolete on certificates, it would
be better to prepare for next generation hash algorithms. Here are some
references.
http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know
https://www.digicert.com/sha-2-ssl-certificates.htm
While CA is encouraging users to upgrade to SHA2-based certificates,
it'd be better to assume that SHA1 HMAC will also be obsolete.
I know unix philosophy "Don't fix what ain't broken".
I think it's better to provide safety measure to prevent disaster
instead of waiting the disaster to come and fix it later.
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list