Disabling block cipher algorithms in CBC mode?

[ViperGeek]

I'm authoring a security advisory about an old weakness in Cipher Block Chaining (CBC) mode ciphers (CVE-2008-5161). One workaround is to disable CBC mode ciphers on the SSH client. I'd like to provide an example of disabling CBC mode ciphers using SecureCRT, but I don't see a way to do that via the command-line or GUI.

Within the GUI, the options available under SSH2 advanced configuration are: AES-128, AES-192, AES-256, Twofish, Blowfish, 3DES, RC4, and None. However, there are -CTR and -CBC ciphers available for many of these (eg. AES128-CTR and AES128-CBC, etc.).

How do I disable CBC mode ciphers, or make CTR mode ciphers more preferable in SecureCRT 5.0.5?

Thanks!

- Dave

[miked]

Hello Dave,

Thanks for posting your question. Support for CTR ciphers was added in SecureCRT 6.2. You can disable the AES CBC ciphers in SecureCRT 5.0.5 (Session Options / Connection / SSH2 / Advanced) but there are not any AES CTR ciphers to enable in that version.

If you install SecureCRT 6.2 or newer then you can select the CTR ciphers and then move them to the top of the Cipher list using the up arrows at the right.

[ViperGeek]

Thanks for the prompt and detailed reply, Mike.

I saw your security advisory for CVE-2008-5161 which does reference SecureCRT 6.1.3 or later:

http://www.vandyke.com/support/advis...ni-957037.html

I only have a license for SecureCRT 5.0.5, but I may download your latest software as a trial so I can get a few screen captures for our bulletin.

Thanks again for the answer to my question.

- Dave

[miked]

Hi Dave,

I'm glad the information helped. You found a great link to the advisory. You can install SecureCRT 6.5 to a different folder as well and keep your existing SecureCRT 5.0.5, plus use SecureCRT 6.5 in evaluation mode. To do so, during installation choose Custom when prompted for Complete or Custom (the fourth window into the installation). Click here to go directly to the current installers.

[ViperGeek]

Your alternate directory suggestion worked well. The only unfortunate side effect was that my sessions in C:\Documents and Settings\...\Sessions all got converted to version 6 format, making it a challenge to re-use 5.0.5. Thank goodness for Norton Ghost.

As you described, the CTR mode ciphers were all there, and could be placed ahead of the problematic CBC mode ciphers:



Thanks again.

- Dave

[miked]

Hi Dave,

Sorry I forgot to mention the .ini file format change - I should have suggested making a backup of the configuration folder. Good to hear you already had a backup.

[pappale]

I want to disable cipher mode of encryption and want to enable CTR mode of encryption.How do i do this.?

[rtb]

Hi pappale,

Thanks for the post.

You would disable the ciphers that don't have "CTR" in the name. I have posted an updated screenshot that more explicitly illustrates the changes that one might like to make.

If you don't see any ciphers that have "CTR" in the name, you are likely using a version of SecureCRT older than 6.1.3.