Does SecureCRT (8) support Curve25519?

[RobIII]

Curve25519

Quote:

Quote:

Since then, Curve25519 has become the de-facto alternative to P-256, and is used in a wide variety of applications. In 2014 OpenSSH defaults to Curve25519-based ECDH.

Secure Secure Shell

Quote:

OpenSSH supports 8 key exchange protocols:

curve25519-sha256: ECDH over Curve25519 with SHA2
...
ECDH curve choice: This eliminates 6-8 because NIST curves suck. They leak secrets through timing side channels and off-curve inputs. Also, NIST is considered harmful and cannot be trusted.
...
Recommended /etc/ssh/sshd_config snippet:

Code:

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

As the title states: I can't find Curve25519 under the Key Exchange options (I do have alternatives I can use ofcourse). But does SecureCRT support Curve25519 or, if it doesn't, will it in the future and if so: when (guesstimate?)

[jdev]

SecureCRT 8 does not support the curve25519 key exchange algorithm.

We don't have a specific timeline for supporting this algorithm, but I have added a feature request. We'll post here in this forum thread if something becomes available and, as always, if you'd like email notification should something become available, feel free to send an email to support@vandyke.com with a subject of "ATTN: Feature request for Forum thread #12314 (curve25519)" or use this form to submit the same.

Best bet for the time being is to use the algorithm from #5 on the list, which is supported in SecureCRT 8.0 (diffie-hellman-group-exchange-sha256).

--Jake

[RobIII]

http://arstechnica.com/security/2016...f-crypto-keys/

While there's no *immediate* need to, I'd still really like to move from

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

to

KexAlgorithms curve25519-sha256@libssh.org

[jdev]

Dear Rob III,

We understand your desire to move away from DH to your preferred key exchange algorithm: curve25519. We commit to posting notification to this forum should this algorithm be implemented in SecureCRT.

Note that as of SecureCRT 8.0, the DH exchange methods default to using primes that are at least 2048 bits, and you can increase this to even larger values as desired.

You would need to be connecting to a server that has a primes set that supports larger values in order to be successful, but you might very well be able to put to rest your concerns about 1024-bit primes with DH in the mean time by forcing 2048 or greater primes to be used during key exchange with an SSH2 server.

--Jake

[mdella]

So many of the machines we have in public data centers move "digital money" around using various tunnels, etc. Although we have a layered system, because of the nature of what is being moved, we constantly review our access security systems and change our standards as we go. Currently our ingress servers/jump boxes have been configured to support only:

Code:

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

Additionally we are using a prime size of 4096 for the group exchange. Our intent is to remove the group exchange from our ingress servers within 18 months (by July 2018). Although we have time, we are definitely planning for our options in the future. At this point, we use PuTTY 0.68 as our fallback to do client connections to our curve25519 based machines. Obviously this isn't what we want long term, but at least our bases there are covered.

--Marcos

[bgagnon]

Hi Marcos,

SecureCRT has not implemented curve25519 key exchange algorithm yet.

I have added this thread to a feature request in our product enhancement database to implement curve25519-sha256 and curve25519-sha256@libssh.org key exchange algorithms. Should a future release of SecureCRT include this feature, notification will be posted here.

If you prefer direct email notification, send an email to support@vandyke.com and include "Feature Request - Forum Thread #12314" in the subject line or use this form from the support page of our website.

[MotamanIT]

Dear,

Our company is (was?) using secureFx but our last servers only support curve25519. We are forced to now use FileZilla :/

Best regards,

[bgagnon]

Hi MotamanIT,

I am sorry to hear that. It's rare that a server only supports one key exchange algorithm.

This post has some info on what's involved in implementing new encryption algorithms.

[bgagnon]

Hi All,

Our developers have implemented support for the curve25519-sha256 key exchange algorithm (known by two names, curve25519-sha256 and curve25519-sha256@libssh.org, it's the same algorithm in both cases).

If you would like us to make this pre-release build available to you, please contact support@vandyke.com and include "Curve25519 feature request" (or similar) in the subject line. If writing us from an email address other than that associated with your VanDyke Software download account, then please indicate in the body of the email what email address is associated with your download account.

[bgagnon]

Hi all,

The curve25519-sha256 key-exchange algorithm was implemented in v8.5.2:

Changes in SecureCRT 8.5.2 (Official) -- November 15, 2018
----------------------------------------------------------
New feature:

• Added support for the curve25519-sha256 key-exchange algorithm.