507659 – Better defaults for crypto algorithms of SSH2 preference page

Bug 507659 - Better defaults for crypto algorithms of SSH2 preference page

Summary: Better defaults for crypto algorithms of SSH2 preference page

Status:	NEW

Alias:	None

Product:	Platform
Classification:	Eclipse Project
Component:	Team (show other bugs)
Version:	4.6
Hardware:	All All

Importance:	P3 enhancement (vote)
Target Milestone:	---
Assignee:	Platform Team Inbox
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-11-17 04:30 EST by Andreas Sewe
Modified:	2016-11-17 04:30 EST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Sewe

2016-11-17 04:30:25 EST

Pardon me if this is the wrong product/component, but I have no idea who contributes org.eclipse.jsch.ui.

At the moment, Eclipse selects by default some really old (i.e., broken) cryptography on its General > Network Connections > SSH2 preference page.

For "MAC methods" it selects (in this order)

 [X] hmac-md5
 [X] hmac-sha1
 [X] hmac-sha2-256
 [X] hmac-sha1-96
 [X] hmac-md5-96

For "Key Exchange Methods" it selects (in this order)

 [X] diffie-hellman-group1-sha1
 [X] diffie-hellman-group14-sha1
 [X] diffie-hellman-group-exchange-sha1
 [X] diffie-hellman-group-exchange-sha256

I am by no means an expert on cryptography, but maybe we should just follow pre-existing guidelines. Bettercrypto.org's Applied Crypto Hardening [1] suggests (in Section 2.2.1) some selection/ordering of options (not all available in Jsch) for the OpenSSH "MACs" and "KexAlgorithms" we could follow:

 [X] hmac-sha2-256
 [ ] hmac-sha1
 [ ] hmac-sha1-96
 [ ] hmac-md5
 [ ] hmac-md5-96

and

 [X] diffie-hellman-group-exchange-sha256
 [X] diffie-hellman-group14-sha1
 [X] diffie-hellman-group-exchange-sha1
 [ ] diffie-hellman-group1-sha1

[1] <https://bettercrypto.org/static/applied-crypto-hardening.pdf>