VanDyke Software Forums

Go Back   VanDyke Software Forums > Secure Shell
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 10-01-2010, 02:11 PM
ViperGeek ViperGeek is offline
Registered User
 
Join Date: Oct 2010
Location: Merrimack, NH
Posts: 3
Send a message via ICQ to ViperGeek Send a message via AIM to ViperGeek Send a message via MSN to ViperGeek Send a message via Yahoo to ViperGeek Send a message via Skype™ to ViperGeek
Question Disabling block cipher algorithms in CBC mode?

I'm authoring a security advisory about an old weakness in Cipher Block Chaining (CBC) mode ciphers (CVE-2008-5161). One workaround is to disable CBC mode ciphers on the SSH client. I'd like to provide an example of disabling CBC mode ciphers using SecureCRT, but I don't see a way to do that via the command-line or GUI.

Within the GUI, the options available under SSH2 advanced configuration are: AES-128, AES-192, AES-256, Twofish, Blowfish, 3DES, RC4, and None. However, there are -CTR and -CBC ciphers available for many of these (eg. AES128-CTR and AES128-CBC, etc.).

How do I disable CBC mode ciphers, or make CTR mode ciphers more preferable in SecureCRT 5.0.5?

Thanks!

- Dave
Reply With Quote
  #2  
Old 10-01-2010, 03:28 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
Hello Dave,

Thanks for posting your question. Support for CTR ciphers was added in SecureCRT 6.2. You can disable the AES CBC ciphers in SecureCRT 5.0.5 (Session Options / Connection / SSH2 / Advanced) but there are not any AES CTR ciphers to enable in that version.

If you install SecureCRT 6.2 or newer then you can select the CTR ciphers and then move them to the top of the Cipher list using the up arrows at the right.
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
  #3  
Old 10-01-2010, 04:12 PM
ViperGeek ViperGeek is offline
Registered User
 
Join Date: Oct 2010
Location: Merrimack, NH
Posts: 3
Send a message via ICQ to ViperGeek Send a message via AIM to ViperGeek Send a message via MSN to ViperGeek Send a message via Yahoo to ViperGeek Send a message via Skype™ to ViperGeek
Thumbs up

Thanks for the prompt and detailed reply, Mike.

I saw your security advisory for CVE-2008-5161 which does reference SecureCRT 6.1.3 or later:

http://www.vandyke.com/support/advis...ni-957037.html

I only have a license for SecureCRT 5.0.5, but I may download your latest software as a trial so I can get a few screen captures for our bulletin.

Thanks again for the answer to my question.

- Dave
Reply With Quote
  #4  
Old 10-01-2010, 04:24 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
Hi Dave,

I'm glad the information helped. You found a great link to the advisory. You can install SecureCRT 6.5 to a different folder as well and keep your existing SecureCRT 5.0.5, plus use SecureCRT 6.5 in evaluation mode. To do so, during installation choose Custom when prompted for Complete or Custom (the fourth window into the installation). Click here to go directly to the current installers.
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
  #5  
Old 10-01-2010, 05:52 PM
ViperGeek ViperGeek is offline
Registered User
 
Join Date: Oct 2010
Location: Merrimack, NH
Posts: 3
Send a message via ICQ to ViperGeek Send a message via AIM to ViperGeek Send a message via MSN to ViperGeek Send a message via Yahoo to ViperGeek Send a message via Skype™ to ViperGeek
Your alternate directory suggestion worked well. The only unfortunate side effect was that my sessions in C:\Documents and Settings\...\Sessions all got converted to version 6 format, making it a challenge to re-use 5.0.5. Thank goodness for Norton Ghost.

As you described, the CTR mode ciphers were all there, and could be placed ahead of the problematic CBC mode ciphers:



Thanks again.

- Dave
Reply With Quote
  #6  
Old 10-04-2010, 08:10 AM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
Hi Dave,

Sorry I forgot to mention the .ini file format change - I should have suggested making a backup of the configuration folder. Good to hear you already had a backup.
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 09:29 PM.


copyright 1995-2014 VanDyke Software, Inc.