View Single Post
  #5  
Old 02-25-2017, 11:45 AM
mdella's Avatar
mdella mdella is offline
Registered User
 
Join Date: Mar 2004
Location: Scotts Valley, CA
Posts: 44
Send a message via ICQ to mdella Send a message via Skype™ to mdella
Added voice for curve25519

So many of the machines we have in public data centers move "digital money" around using various tunnels, etc. Although we have a layered system, because of the nature of what is being moved, we constantly review our access security systems and change our standards as we go. Currently our ingress servers/jump boxes have been configured to support only:

Code:
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Additionally we are using a prime size of 4096 for the group exchange. Our intent is to remove the group exchange from our ingress servers within 18 months (by July 2018). Although we have time, we are definitely planning for our options in the future. At this point, we use PuTTY 0.68 as our fallback to do client connections to our curve25519 based machines. Obviously this isn't what we want long term, but at least our bases there are covered.

--Marcos
__________________
Marcos Della
Data Center Cloud Architect
Nutanix

PGP Fingerprint: BDC7 AFFD E94F FA09 C839 9153 F5FF E128 3094 2B9E
Key ID: 0x30942B9E
Reply With Quote