Cisco SSH v2 support diffie-hellman-exchange-group-sha1 ?

one of my router are scanned by Foundstone and get an alert :
""The SSH2 protocol specification requires that a SSH2 server support the
diffie-hellman-group1-sha1 key exchange algorithm. This key exchange
algorithm is considered strong, but faces a potential weakness in that the
same prime number is used for all key exchanges."
SO wanna check if cisco SSH2 can support the diffie-hellman-exchange-group-sha1? If yes, which IOS version required? ( have relevent link is appreciate)
thx..
..peter cheung

read http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_shell_v2.html#wp1082528

Similar Messages

  • Diffie Hellman withg JavaCars

    Dear,
    I kindly ask you if any card vendor or if the java-card_kit (versionn 2.2.1) support Diffie Hellman (DH) cryptographic algorithm?
    Sincerely

    Read the specs and you will see the answer. There's a reason SUN makes them available !
    The issue you will run into is finding a vendor that will have 2.2.x cards. I don't even know any vendors that are shipping 2.2 cards yet !
    It's not to say you can't develop solutions, but you won't have cards with 2.2.x JCRE/JCVM for deployment.

  • OAKLEY 5 group in Diffie-Hellman

    Hi everyone!
    I'm developing an SRTP implementation using the MIKEY key exchange protocol (for compatibility with a draft on SIP crypto info exchange) and, therefore, need an implementation of the oakley 5 group of Diffie- Hellman.
    My question is as follows:
    If I use the following code does the paramGen use the OAKLEY 5 scheme to generate the parameters? I've tried to look at the API for information on what actually happens when inputing 1536 bit prime size, but I find nothing.
    AlgorithmParameterGenerator paramGen = AlgorithmParameterGenerator.getInstance("DH");
    paramGen.init(1536);I'd be grateful for any information and/or suggestions.

    If I use the following code does the paramGen use the
    OAKLEY 5 scheme to generate the parameters? I've
    tried to look at the API for information on what
    actually happens when inputing 1536 bit prime size,
    but I find nothing.
    AlgorithmParameterGenerator paramGen =
    AlgorithmParameterGenerator.getInstance("DH");
    paramGen.init(1536);
    paramGen.init(1536) does not work for the default JCE Provider (the max value allowed is 1024).
    I guess that the OAKLEY scheme is not used because the implementation predates OAKLEY RFC (1998), but it's better to check the source code (that you can download from http://wwws.sun.com/software/communitysource/j2se/java2/download.html
    You can check also Bouncycastle's implementation, (http://www.bouncycastle.org ) but it's meant to be compatible with JCE's, so it probably does not use the OAKLEY scheme as well.

  • Diffie-Hellman groups - ASA firewalls

    Hi all,
    A couple of questions I'm hoping you can help me with.
    Please can you tell me where I'd change the Diffie-Hellman group for phase 1 on an ASA firewall and can this be done on the ASDM?
    Also, do you have to enable PFS have to DH on phase 2?
    Many thanks
    Alex

    Hello Alex,
    You can change the Diffie-Hellman group for phase 1 on ASA by configuring the following command:
    crypto isakmp policy
         group
    To configure the same using ASDM, go to
    Configuration>Site-to-Site VPN>Connection Profiles>Add/Edit
    In IPsec Settings, you will find Encryption Algorithms .Click on "Manage" icon on the right  of "IKE Policy".Click OK.
    Click on Add/Edit and there will be an option to change the DH Group.
    And lastly in regard to the PFS query , you can enable PFS in  order to have DH in phase 2.Enabling PFS will force a new DH key  exchange for phase 2.
    Note:It is not mandatory , its optional .If its configured on one side , then it needs to be done on the remote side as well.
    Regards,
    Dinesh Moudgil

  • Need help with Diffie-Hellman key-exchange protocol

    How can i show that the Diffie-Hellman key-exchange protocol is vulnerable to a man-in-themiddle
    attack and Devise a protocol using digital signatures which overcomes this vulnerability

    Given that the error is "Invalid Parameters", you might want to show us how "dhparameters" is being set up on both sides...
    Grant

  • Diffie-Hellman (D-H) key Exchange problem

    Hi,
    I have generated a certificate for Tomcat 6.0.14 using command:
    keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -sigalg SHA256withRSATomcat is using JDK 1.6.0_03 with unlimited strength java cryptography extension policy
    and now when I try to connect to my site using Opera 9.24 I get warring �low encryption level�. The detected protocol by Opera is TLS v1.0 256 bit AES (768 bit DHE_RSA/SHA). The problem is 768 bit DHE (Diffie-Hellman key exchange) which is used for exchanging session key, opera issue a warring when key is sorter than 900 bits � more details on:
    http://my.opera.com/yngve/blog/2007/10/22/new-w-not-in-kestrel-dhe or
    http://my.opera.com/community/forums/topic.dml?id=207440I have two questions:
    1) How to change size of DHE key?
    2) If changing size of DHE key is not possible, than how to disable DHE to get pure RSA/SHA?

    I add to tomcat java options -Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA and I still got TLS v1.0 256 bit AES (768 bit DHE_RSA/SHA), but it lead me to connector configuration � after adding in server.xml:
    <Connector protocol="org.apache.coyote.http11.Http11Protocol"
          ciphers="TLS_RSA_WITH_AES_256_CBC_SHA" />opera gave me TLS v1.0 256 bit AES (2048 bit RSA/SHA) :) . The doc says that without this attribute all ciphers are available, maybe it overrides https.cipherSuites � either way problem solve
    Cheers

  • Diffie-Hellman Key Exchange Problem

    I am working on a program that will allow encrypted communication between two parties, and I am using the Diffie-Hellman key exchange to computer their secret keys, whenever I use this algorithm the key exchange goes fine but when I try to use KeyAgreement.doPhase() to perform the final phase I get an "InvalidKeyException: Incompatible Paramters" can anyone tell me what is going on, any help is greatly appreciated:
    //Server
    static void DHDoKeyExchange() {
              try {
                   PublicKey theirPublicKey = null;
                   System.out.println("Exchanging Keys...");
                   System.out.println("\t-Generating KeyPair.");
                   KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH");
                   kpg.initialize(dhparameters);
                   KeyPair keyPair = kpg.genKeyPair();
                   System.out.println("\t-Exchanging.");
                   theirPublicKey = (PublicKey)ois.readObject();
                   oos.writeObject(keyPair.getPublic());
                   KeyAgreement ka = KeyAgreement.getInstance("DH");
                   ka.init(keyPair.getPrivate());
                   ka.doPhase(theirPublicKey, true);
                   secret = ka.generateSecret();                              
                   System.out.println("\t-Done!\n");
              } catch(Exception e) {
                   e.printStackTrace();
    //Client
    static void DHDoKeyExchange() {
              try {
                   PublicKey theirPublicKey = null;
                   System.out.println("Exchanging Keys...");
                   System.out.println("\t-Generating KeyPair.");
                   KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH");
                   kpg.initialize(dhparameters);
                   KeyPair keyPair = kpg.genKeyPair();
                   System.out.println("\t-Exchanging.");
                   oos.writeObject(keyPair.getPublic());
                   theirPublicKey = (PublicKey)ois.readObject();
                   KeyAgreement ka = KeyAgreement.getInstance("DH");
                   ka.init(keyPair.getPrivate());
                   ka.doPhase(theirPublicKey, true);
                   secret = ka.generateSecret();
                   System.out.println("\t-Done!\n");
              } catch(Exception e) {
                   e.printStackTrace();
         }

    Given that the error is "Invalid Parameters", you might want to show us how "dhparameters" is being set up on both sides...
    Grant

  • Question on determining key strength (Diffie-Hellman Key Exchange)

    Greetings everyone!
    Im working on my thesis which implements the use of the Diffie-Hellman key exchange. One problem that I encounter was how to assess and evaluate its strength given N-size of the public keys used. Does anyone know what is the recommended key size to achieve security with the Diffie-Hellman key exchange? And in what way was it determined?
    Sincerely,
    Paolo Ferrer

    Well, Diffie-Hellman is a key exchange protocol, not a cypher. If you mean RSA, then the recommended minimum is 2048 bits. This is determined by estimating the amount of time it would take to break a shorter key by brute force. 256 bits can be broken on a PC in hours. 512 can be broken on several hundred PCs over a couple of days (this is all very rough stuff). 1024 could theoretically be broken by a computer that might be built in the next decade or so in under a decade so - or something like that. So, 2048 is the rule of thumb - but it depends what you need it for. To send a secure message to your grandmother, it's unlikely the whole world will pool their resources to learn the text of your message in 10 years.
    If, on the other hand, this is an email to your Justice department's Whitehouse liaison, you might want 4096 bits.
    Look up "Diffie Hellman Key Exchange" and RSA on wikipedia.org for some good references.

  • About Diffie-Hellman Key Exchange Algorihtm

    Hi... experts. I've got a problem about Diffie-Hellman Key Exchange. Is that possible to actually exchange a secret session key via Diffie-Hellman Key Exchange? or the secret session key (g^xy) is actually generated after the exchange of g^x and g^y by the two parties? My project supervisor made me confused with it, he is sure that the first case can be done. Please give me some ideas... Thanks a lot!!!
    Regards,
    Yating

    ejp, thanks for the reply!
    What is exchanged is the
    means by which it can be independently and
    identically calculated by both parties.That's exactly what I learn from the Diffie-Hellman algorithm, but he kept saying that he wanted me to distribute a shared secret via the key exchange. I really have no idea about what he is talking about. Do you have any ideas?
    Regards,
    Yating

  • Diffie Hellman use

    Guys if i use Diffie Hellman to get a number
    What is the best way to use that number to encrypt the plain Text
    i was thinking if the number was S, and the plaintext we could get the encrypted text E
    by raisining T to the power of S mod n.
    Is there an algorithm to get back to the T if you knew E and S.
    If you know a better use of the number than that would be appreciated.

    Diffie-Hellman is an algorithm for sharing keys between two nodes over an insecure channel. DH is only an algorithm, not an application.
    In your case, assuming you want to transfer a text message securely, you need an application, not an algorithm.
    I suggest you use IPSec. IPSec supports Internet Key Exchange (IKE). IKE supports DH as the key establishment algorithm.
    There are IPSec application that are ready-to-use :
    www.freeswan.org or www.openswan.org (the two are more-or-less the same).
    To get DH working under IPSec, you will need to do is abit more work (more tricky). If all you want is to transmit a message securly between two nodes, then the easiest way is to use a pre-shared secret, which is also supported by IPSec.

  • Will Unity Connection ever support Microsoft 365 Exchange

    Hello,
    Will Unity Connection ever support Microsoft 365 Exchange.  The link below states that it is not supported in 8.6 but does not state that it will never be supported.  If If anyone has any information it would be greatly appreciated.  Thanks
    http://www.cisco.com/en/US/prod/collateral/voicesw/ps6789/ps5745/ps6509/solution_overview_c22-677999.html

    HI Jason,
    Here's what I found, Exchange 365 is supported on CUC 8.6.2, which will come out in a few weeks.  However there's a Microsoft limitation of 19 users, but Cisco and Microsoft are actively working the problem.
    Regards,
    Tere.
    If you find this post helpful, please rate!

  • [Feature Request] Wap321 SSH/Telnet Support

    Dear Cisco Developers,
    we are facing a problem with your design choice of not to support Telnet/SSH on the Wap321. We bought this Product because it was one of the only Access Points with SSH and Telnet Support.
    We need the SSH Support for a script that changes the WPA-psk key of the interface wlan0 on more then 20AP's every Week. Everything was good until we got hold of a new charge which came with firmware version 1.0.1.10.
    Changelog:
    "Due to security concerns, Telnet and SSH access options are removed in firmware version 1.0.1.10."
    So I talked with the German Cisco Small Business Support and he said he will investigate and try to get it to the Second Support tier. Well it never came to that, he called us two days later and said that is was a BUG to Support SSH and Telnet on the WAP321 and it was never designed to be a Feature.
    So i guess we have following options:
    1.Bring back the SSH Support for the Wap321 in the next Firmware update
    2.Provide Firmware version 1.0.0.3
    3.Give me a Workaround for my task
    So any help would be appreciated and i hope we are not the only ones that would like to see a comeback of this feature.
    In hope for comments
    Best wish
    Fabian Schwarz
    (PTA-Support)
    PS: Support Ticket was
    624972937

    No Sir I do not.
    According to the response from L2:
    SSH is only enabled for customer to use it on switches.
    Developers normally do not allow SSH (enable or protect with password) for end
    user on any Wireless device. Management is done by web interface.
    In this particular case SSH was enabled only due to some bugs which were
    monitored during first release so it is not meant to be for end user.
    Because of particular security risks, SSH is for troubleshooting by developers.
    Currently there is no chance that they would issue any official firmware for this as
    well as there is a little chance they would create special firmware for just a few
    customers.
    I am sorry for any inconvenience that this has caused.
    Eric Moyers
    If you like you can roll the mouse over my picture and get my actual email address and contact me directly.

  • Does CISCO C3560X VLAN support multiple Network segments which are further configured with HSRP function

    Hi Cisco experts,
        My name is Kumagai and I need your expert opinions below.
    I am trying to configure one VLAN1 support multiple network segments as below.
    (this should be a very straight forward configuration and should be OK, I think ? )
     interface Vlan1
     ip address 172.30.0.0 255.255.128.0
     ip address 172.30.31.253 255.255.254.0 secondary
     ip address 172.30.61.253 255.255.254.0 secondary
     ip address 172.30.71.253 255.255.254.0 secondary
     ip address 172.30.4.253 255.255.255.0 secondary
     The only issue that is eating me is the above network segments are using HSRP too
     and I am not sure is this possible with a combination of VLAN1 supporting multiples which are
     further supported with HSRP settings in Cisco environment.
    !example of HSRP:
    interface Vlan4
     ip address 172.30.4.253 255.255.255.0
     no ip redirects
     standby 4 ip 172.30.4.254
     standby 4 priority 105
     standby 4 preempt
    <<< what will happen if I add the HSRP configuration as below into the above VLAN1 with multiple Network segment ??)
     I would like to summarize my "Combined" configurations as below but I need your expert opinions on
     whether the configuration below is workable without any problem ??
     Or it is a total flop because Cisco does not support the configuration below !!!
     interface Vlan1
     ip address 172.30.0.0 255.255.128.0
     ip address 172.30.31.253 255.255.254.0 secondary
     ip address 172.30.61.253 255.255.254.0 secondary
     ip address 172.30.71.253 255.255.254.0 secondary
     ip address 172.30.4.253 255.255.255.0  secondary
     standby 30 ip 172.30.31.254
     standby 30 priority 105
     standby 30 preempt
     standby 60 ip 172.30.61.254
     standby 60 priority 105
     standby 60 preempt
     standby 70 ip 172.30.71.254
     standby 70 priority 105
     standby 70 preempt
     standby  4 ip 172.30.4.254
     standby  4 priority 105
     standby  4 preempt
    Thanking you in advance !!!!!

    Hi,
    As far as i know we dont set the ip helper address on the radio interface. It should be on the L3 interface of corresposding VLANs i.e.
    int vlan 20
    ip helper-address 192.168.33.xxx
    int vlan 60
    ip helper-address 130.20.1.xxx
    I'm assuming that your using SVI's (int Vlan 20 and int Vlan 60) rahter than physical interfaces. Also hope you have configured switch port as trunk where this AP is connected.
    Modify the AP config as below since you are using data vlan as the native vlan
    interface Dot11Radio0.20
    encapsulation dot1Q 20 native
    interface FastEthernet0.20
    encapsulation dot1Q 20 native
    Ideally your AP fastethernet configuration should looks like below and not sure how you missed this as this comes by default when you have multiple vlans for multiple ssids.
    interface FastEthernet0.20
    encapsulation dot1Q 20 native
    no ip route-cache
    bridge-group 20
    no bridge-group 20 source-learning
    bridge-group 20 spanning-disabled
    interface FastEthernet0.60
    encapsulation dot1Q 60
    no ip route-cache
    bridge-group 60
    no bridge-group 60 source-learning
    bridge-group 60 spanning-disabled
    Hope this helps.
    Regards
    Najaf

  • Diffie Hellman Public Key from openSSL is throwing InvalidKeySpecException

    Ladies and Gents,
    I am trying to write a client application in Java to replace an existing client app that is written in C++. The current client and server use openSSL for the crypto. The client and server perform a Diffie Hellman Key exchange and then encrypt the data streams. Communication is via net sockets and is pure TCP.
    I can get a Java app to Java app DH key exchange to work as well as a C++/openSSL app to C++/openSSL app. A problem arises when I attempt to have a Java client perform a DH Key exchange with the C++/openSSL server.
    I have narrowed down the error to this codeblock (I added the line numbers for clarity):
    164       KeyFactory keyFac = KeyFactory.getInstance("DH");
    165       X509EncodedKeySpec dhKeySpec = new X509EncodedKeySpec(peerPublicKeyBytes);
    166       DHPublicKey peerPublicKey = (DHPublicKey) keyFac.generatePublic(dhKeySpec);Here is the error thrown:
    java.security.spec.InvalidKeySpecException: Inappropriate key specification
         at com.sun.crypto.provider.DHKeyFactory.engineGeneratePublic(DashoA13*..)
         at java.security.KeyFactory.generatePublic(Unknown Source)
         at jClient.crypto.DHCipher.bytesToPublicKey(DHCipher.java:166)Now based on the error given, I can guess that the format of the Public Key I received is somehow incorrect. The server sends its generated public key in the following manner:
    keyLen(4 bytes), keyBytes (keyLen bytes)
    Which is simple enough, so I assumed that simply stripping off the first 4 bytes off the byte[] would yield a viable PublicKey, but I get the above error.
    Additionally, I have tried to modify the code to use a DHPublicKeySpec instead of a X509EncodedKeySpec:
    163       KeyFactory keyFac = KeyFactory.getInstance("DH");
    164       BigInteger peerPubKeyBI = new BigInteger(peerPublicKeyBytes);
    165       DHPublicKeySpec dhKeySpec = new DHPublicKeySpec(peerPubKeyBI, this.p, this.g);
    166       DHPublicKey peerPublicKey = (DHPublicKey) keyFac.generatePublic(dhKeySpec);This seems to accept the openSSL generated public key, but ultimately results in non-matching client and server SecretKeys.
    I normally don't post for help, choosing instead to just keep hammering away at a problem till I win, but this is going on 3 weeks and I have a deadline coming up. Any help would be appreciated. If anymore information is needed, just say so.
    Thanks in advance,
    Dave
    Edited by: claymore1977 on May 26, 2009 4:47 PM

    claymore1977 wrote:
    Which is simple enough, so I assumed that simply stripping off the first 4 bytes off the byte[] would yield a viable PublicKey, but I get the above error.Too simple. If you look at the Javadocs for X509EncodedKeySpec, you can see that it is much more complicated beast that contains object IDs in addition to the DH public bytes. You could try to get openssl to build the more complicated X509EncodedKeySpec, but I see below that you have found a simpler solution.
    >
    >
    Additionally, I have tried to modify the code to use a DHPublicKeySpec instead of a X509EncodedKeySpec:
    163       KeyFactory keyFac = KeyFactory.getInstance("DH");
    164       BigInteger peerPubKeyBI = new BigInteger(peerPublicKeyBytes);
    165       DHPublicKeySpec dhKeySpec = new DHPublicKeySpec(peerPubKeyBI, this.p, this.g);
    166       DHPublicKey peerPublicKey = (DHPublicKey) keyFac.generatePublic(dhKeySpec);
    This looks reasonable, the only thing I can see wrong is the BigInteger constructor you are using. If the data sent is "negative", the resulting BigInteger will be negative and you'll get wrong answers. See if using the sign=magnitude constructor works better for you, i.e. BigInteger peerPubKeyBI = new BigInteger(1, peerPublicKeyBytes);

  • Diffie Hellman Key Exchangeover Network

    Hi. I was reading through many examples on how to generate Difie Hellman keys but they many occurs within a single class or computer and not over a network as Diffie Hellman was created for. I was wondering if there are any available source codes that allows you to perform Diffie Hellman key exchange over the network ?

    See javax.crypto.KeyAgreement

Maybe you are looking for

  • Apple TV 1st Gen with graphics problem.

    Just hired "Taken2" and the subtitles which translate the bad guys language stay on screen permanantly. The only way you can remove the subtitles is to stop & resume the movie. Very annoying. Any answers??

  • Migrating an Open Directory Archive from 10.6.8 to 10.8.5 on new hardware.

    Hi all, We have an old 10.6.8 server running OD and WGM. Lots of users, groups, settings and so on. We want to migrate the entire directory to a new 10.8.5 server and continue to run with WGM for now. Does anyone have a successful method for this? No

  • Triggers in report

    Hi all, Is there any way to display a web page on clicking the url displayed in the report? ie, In one of the text item, an url is displayed in the report. If the user clicks that, a web page has to be opened...any way? I guess no. Anyway, I request

  • Default Code Page

    Experts How do I check the Default Code Page for my system. My system is netweaver 2004 and its a Unicode system. What T Code is used to view the data. Regards, Mahesh

  • Printer just stopped

    I've been printing using the ifelix workaround for a month now with no problem. I have the hp3180 all in one. Just today I cannot print, it is always saying printer is busy. Any idea what happened? Maybe my ip address changed but I'm not sure how to