Key Exchange

Advertisement

ddremiere@oxya.com
Joined:
Posts:
1
Location:
Kortrijk

Key Exchange

Hi,
due to security requirements I have been asked to only use below KEX to connect to an SFTP site:
  • diffie-hellman-group-exchange-sha256
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
Following ones are refused:
  • diffie-hellman-group14-sha1
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group1-sha1
  • rsa1024-sha1
KEX names available in WinSCP (found for KEX parameter in https://winscp.net/eng/docs/rawsettings) are all with SHA-1 except ECDH.
But is it ECDH SHA-1 or SHA-2?

If SHA-1, it means I have to choose another SFTP ftp software, right?
Thx in advance
Regards
Daniel

Reply with quote

Advertisement

Armin
Guest

Limit the KEX options

Is it possible to limit the KEX options?

Due the security reason they want to limit the KEX.

Reply with quote

Advertisement

martin
Site Admin
martin avatar

@Armin: Well, I do not know what exactly are you trying to achieve. If you control both client(s) and the server, then indeed it's the server that should be configured not to allow the unwanted KEX in the first place.

Reply with quote

Guest

Hi @Martin, for security reason I want to remove some of the KEX options that is available in WinSCP.

Oh I am sorry I forgot to mention that I am developing a .NET Application that use WinSCP library to connect to the SFTP Server.

I can add new KEX using AddRawSetting but I don't know how to remove the KEX options in the WinSCP Library.

So I assume it can only be done at server side. Is that correct?

Reply with quote

Armin
Guest

Hi Martin,

Apologize for the late respond, thanks for the help.

I already mentioned to the team that it is better to remove the KEX algorithm from the server side.

Reply with quote

Advertisement

You can post new topics in this forum