Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > General

Reply
 
Thread Tools Display Modes
  #1  
Old 04-05-2016, 04:42 PM
RobIII's Avatar
RobIII RobIII is offline
Registered User
 
Join Date: Apr 2016
Location: Netherlands
Posts: 2
Send a message via Skype™ to RobIII
Does SecureCRT (8) support Curve25519?

Curve25519

Quote:
Quote:
I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry

 Bruce Schneier, The NSA Is Breaking Most Encryption on the Internet (2013)
Since then, Curve25519 has become the de-facto alternative to P-256, and is used in a wide variety of applications. In 2014 OpenSSH defaults to Curve25519-based ECDH.
Secure Secure Shell

Quote:
OpenSSH supports 8 key exchange protocols:

curve25519-sha256: ECDH over Curve25519 with SHA2
...
ECDH curve choice: This eliminates 6-8 because NIST curves suck. They leak secrets through timing side channels and off-curve inputs. Also, NIST is considered harmful and cannot be trusted.
...
Recommended /etc/ssh/sshd_config snippet:

Code:
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
As the title states: I can't find Curve25519 under the Key Exchange options (I do have alternatives I can use ofcourse). But does SecureCRT support Curve25519 or, if it doesn't, will it in the future and if so: when (guesstimate?)
Reply With Quote
  #2  
Old 04-05-2016, 05:23 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 1,096
SecureCRT 8 does not support the curve25519 key exchange algorithm.

We don't have a specific timeline for supporting this algorithm, but I have added a feature request. We'll post here in this forum thread if something becomes available and, as always, if you'd like email notification should something become available, feel free to send an email to support@vandyke.com with a subject of "ATTN: Feature request for Forum thread #12314 (curve25519)" or use this form to submit the same.

Best bet for the time being is to use the algorithm from #5 on the list, which is supported in SecureCRT 8.0 (diffie-hellman-group-exchange-sha256).

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
  #3  
Old 10-11-2016, 04:00 PM
RobIII's Avatar
RobIII RobIII is offline
Registered User
 
Join Date: Apr 2016
Location: Netherlands
Posts: 2
Send a message via Skype™ to RobIII
http://arstechnica.com/security/2016...f-crypto-keys/

While there's no *immediate* need to, I'd still really like to move from

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

to

KexAlgorithms curve25519-sha256@libssh.org
Reply With Quote
  #4  
Old 10-11-2016, 04:49 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 1,096
Dear Rob III,

We understand your desire to move away from DH to your preferred key exchange algorithm: curve25519. We commit to posting notification to this forum should this algorithm be implemented in SecureCRT.

Note that as of SecureCRT 8.0, the DH exchange methods default to using primes that are at least 2048 bits, and you can increase this to even larger values as desired.
You would need to be connecting to a server that has a primes set that supports larger values in order to be successful, but you might very well be able to put to rest your concerns about 1024-bit primes with DH in the mean time by forcing 2048 or greater primes to be used during key exchange with an SSH2 server.

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
  #5  
Old 02-25-2017, 11:45 AM
mdella's Avatar
mdella mdella is offline
Registered User
 
Join Date: Mar 2004
Location: Scotts Valley, CA
Posts: 42
Send a message via ICQ to mdella Send a message via Skype™ to mdella
Added voice for curve25519

So many of the machines we have in public data centers move "digital money" around using various tunnels, etc. Although we have a layered system, because of the nature of what is being moved, we constantly review our access security systems and change our standards as we go. Currently our ingress servers/jump boxes have been configured to support only:

Code:
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Additionally we are using a prime size of 4096 for the group exchange. Our intent is to remove the group exchange from our ingress servers within 18 months (by July 2018). Although we have time, we are definitely planning for our options in the future. At this point, we use PuTTY 0.68 as our fallback to do client connections to our curve25519 based machines. Obviously this isn't what we want long term, but at least our bases there are covered.

--Marcos
__________________
Marcos Della
Data Center Cloud Architect
Nutanix

PGP Fingerprint: BDC7 AFFD E94F FA09 C839 9153 F5FF E128 3094 2B9E
Key ID: 0x30942B9E
Reply With Quote
  #6  
Old 02-27-2017, 07:11 AM
bgagnon bgagnon is online now
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,634
Hi Marcos,

SecureCRT has not implemented curve25519 key exchange algorithm yet.

I have added this thread to a feature request in our product enhancement database to implement curve25519-sha256 and curve25519-sha256@libssh.org key exchange algorithms. Should a future release of SecureCRT include this feature, notification will be posted here.

If you prefer direct email notification, send an email to support@vandyke.com and include "Feature Request - Forum Thread #12314" in the subject line or use this form from the support page of our website.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #7  
Old 10-20-2017, 01:06 AM
MotamanIT MotamanIT is offline
Registered User
 
Join Date: Oct 2017
Posts: 1
Still not implemented?

Dear,

Our company is (was?) using secureFx but our last servers only support curve25519. We are forced to now use FileZilla :/

Best regards,
Reply With Quote
  #8  
Old 10-20-2017, 08:20 AM
bgagnon bgagnon is online now
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,634
Hi MotamanIT,

I am sorry to hear that. It's rare that a server only supports one key exchange algorithm.

This post has some info on what's involved in implementing new encryption algorithms.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #9  
Old 11-26-2018, 03:31 PM
bgagnon bgagnon is online now
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,634
Hi All,

Our developers have implemented support for the curve25519-sha256 key exchange algorithm (known by two names, curve25519-sha256 and curve25519-sha256@libssh.org, it's the same algorithm in both cases).

If you would like us to make this pre-release build available to you, please contact support@vandyke.com and include "Curve25519 feature request" (or similar) in the subject line. If writing us from an email address other than that associated with your VanDyke Software download account, then please indicate in the body of the email what email address is associated with your download account.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #10  
Old 04-12-2021, 08:19 AM
bgagnon bgagnon is online now
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,634
Hi all,

The curve25519-sha256 key-exchange algorithm was implemented in v8.5.2:

Changes in SecureCRT 8.5.2 (Official) -- November 15, 2018
----------------------------------------------------------
New feature:
  • Added support for the curve25519-sha256 key-exchange algorithm.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 11:04 AM.