Page MenuHomePhabricator

raising security in libssh
Closed, InvalidPublic


Dear Libssh team,
I prefer SSH because of its security, but libssh is not so secure. Here I am recommending some algorithms to be added to libssh.

Encryption Algorithms:
Twofish-256 CBC – I already submitted this
Both are implemented by many servers and clients which makes library more compatible.
AES has faced a lot of cryptanalysis because of its popularity, some agencies may succeed to crack it without publishing that. Why don't we add two more flavours?

KEX Algorithms:
Deffei-Hellmann-Group-Exchange with a minimum group size of 3072
Size of 3072 is just to make sure it is better than DH-group14 that is already included.
NIST curves are not trusted by many cryptographers and I have included a long list (along with source links) showing that in appendix A.
some cryptographers see EC in general are problematic, and they consider Factorization problem is more secure than ECC.

Appendix A
Why NIST is not trusted ? - Page 3

Post-Snowden responses
Bruce Schneier
“I no longer trust the constants. I believe the NSA has manipulated them...”
Nigel Smart
“Shame on the NSA...”
“The membership of the IACR repudiates mass surveillance and the undermining of cryptographic solutions and standards”
TLS Working Group
formal request to CFRG for new elliptic curves for usage in TLS!!! - Page 4

Pre-Snowden suspicions re: NIST (and their curves)
2013 - Bernstein and Lange
“Jerry Solinas at the NSA used this [random method] to generate the NIST curves ... or so he says...”
2008 - Koblitz and Menezes
“However, in practice the NSA has had the resources and expertise to dominate NIST, and NIST has rarely played a significant independent role.”
2007 - Shumow and Ferguson
“We don’t know how Q = [d] P was chosen, so we don’t know if the algorithm designer [NIST] knows [the backdoor] d.” .. they are talking about Dual EC DRBG
1999 - Scott
“So, sigh, why didn't they [NIST] do it that way? Do they want to be distrusted?” - Page 5

Scott ‘99 talking about NIST's curve P256
s = c49d360886e704936a6678e1139d26b7819f7e90
“Consider now the possibility that one in a million of all curves have an exploitable structure that "they" know about, but we don't.. Then "they" simply generate a million random seeds until they find one that generates one of "their" curves...”

RSA has received 10 million USD from NSA to make Dual EC DRBG the default CSPRNG in their library 'b-Safe'.

I am not saying that NIST is intentionally inserting backdoors in their curves. I am just trying to borrow Schneier's word “Cryptographers are a conservative bunch: We don't like to use algorithms that have even a whiff of a problem .”

Moreover, neither Russia, China nor European Union use NIST standards, they have their own standards. So NIST is not the only de-facto standard for security. YES we need to support their algorithms because of their popularity, but we need to support more algorithms for better security. One more thing to mention is that adding all those algorithms is easier than tracking a single bug in the library itself, as all algorithms are supported in libgcrypt.

Event Timeline

m.nasim created this task.Feb 21 2018, 9:26 PM
m.nasim triaged this task as Normal priority.
m.nasim updated the task description. (Show Details)Feb 21 2018, 9:31 PM
m.nasim lowered the priority of this task from Normal to Wishlist.Feb 26 2018, 9:00 PM
m.nasim updated the task description. (Show Details)
asn claimed this task.Aug 27 2018, 12:32 PM
asn added a subscriber: Jakuje.
asn added a comment.Aug 27 2018, 12:38 PM

a) chacha20-poly1305 has been added with libssh 0.8.0

b) Curve25519 is the default KEX, not only in libssh, see

c) curve448 and ed448 support would be nice

asn closed this task as Invalid.Aug 27 2018, 12:50 PM

Also I don't see why libssh would be insecure, we have strong ciphers and even invented the current default KEX. See

and the default of OpenSSH for KEX.

For symmetric encryption AES-CTR is pretty good. The only interesting addition would be AES-GCM with hardware acceleration. You would have to prove that the defaults we are using are insecure, but we are the wrong people for addressing that. I guess you have to show djb and others that those algorithms are insecure.