## SSH Audit Results For test.host.io

F

Score: 43 / 100

Host Keys: | 2 of 6 passing (33%) |

Key Exchanges: | 4 of 10 passing (40%) |

Ciphers: | 13 of 15 passing (86%) |

MACs: | 0 of 3 passing (0%) |

## Server Details

IP Address:

10.11.12.13

Banner:

SSH-2.0-OpenSSH_6.8

Fingerprint (ssh-ed25519):

SHA256:fdDIoFwEWSzYCkDeBYNZWYmXYMofsaNNzHb7p58aJV4

Fingerprint (ssh-rsa):

SHA256:K4mKS3/lqPYbhR/NAh3B2f1IMeHjQ7OCNvQvkpVvqpY

## Host Key Types

ssh-ed25519

ecdsa-sha2-nistp256

- NIST P-curves are possibly back-doored by the U.S. National Security Agency. Score reduced by 2.

rsa-sha2-512 (2048-bit)

- A 3072-bit modulus is needed to provide 128 bits of security, but a 2048-bit modulus is in use. Score reduced by 1.

ssh-rsa-sha256@ssh.com

rsa-sha2-256 (2048-bit)

- A 3072-bit modulus is needed to provide 128 bits of security, but a 2048-bit modulus is in use. Score reduced by 1.

ssh-rsa (2048-bit)

- A 3072-bit modulus is needed to provide 128 bits of security, but a 2048-bit modulus is in use. Score reduced by 1.

## Key Exchange Algorithms

curve25519-sha256@libssh.org

ecdh-sha2-nistp521

- NIST P-curves are possibly back-doored by the U.S. National Security Agency. Score reduced by 2.

ecdh-sha2-nistp384

- NIST P-curves are possibly back-doored by the U.S. National Security Agency. Score reduced by 2.

ecdh-sha2-nistp256

- NIST P-curves are possibly back-doored by the U.S. National Security Agency. Score reduced by 2.

diffie-hellman-group16-sha512

diffie-hellman-group15-sha512

diffie-hellman-group-exchange-sha256 (1024-bit)

- Small modulus in use (1024-bit). Score capped at 65.

diffie-hellman-group14-sha256

diffie-hellman-group14-sha1

- SHA-1 has exploitable weaknesses. Score reduced by 2.

diffie-hellman-group-exchange-sha1 (1024-bit)

- SHA-1 has exploitable weaknesses. Small modulus in use (1024-bit). Score reduced by 3.

## Encryption Ciphers

aes256-ctr

aes256-cbc

aes192-ctr

aes192-cbc

aes128-ctr

aes128-cbc

twofish256-ctr

twofish192-ctr

twofish128-ctr

twofish256-cbc

twofish192-cbc

twofish128-cbc

twofish-cbc

3des-ctr

- 3DES is vulnerable to the SWEET32 attack. Score reduced by 1.

3des-cbc

- 3DES is vulnerable to the SWEET32 attack. Score reduced by 1.

## Message Authentication Codes

hmac-sha2-512

- Uses encrypt-and-MAC method. Score reduced by 1.

hmac-sha2-256

- Uses encrypt-and-MAC method. Score reduced by 1.

hmac-sha1

- SHA-1 has exploitable weaknesses. Score reduced by 2.

## Findings & References

- Possibly Compromised NIST P-Curves In Use
**Description:**The NIST P-curves are strongly suspected by some as being back-doored by the NSA.**Affected Algorithms:**- ecdsa-sha2-nistp256
- ecdh-sha2-nistp521
- ecdh-sha2-nistp384
- ecdh-sha2-nistp256

**Solution:**Replace ECDSA host keys with RSA and/or ED25519 host keys. Replace ECDH key exchange algorithms with traditional Diffie-Hellman algorithms and/or the Curve25519 algorithm.**References:**- Bernstein, D., Lange, T., "SafeCurves: choosing safe curves for elliptic-curve cryptography", <https://safecurves.cr.yp.to/>, Published 2014, Retrieved Oct. 3, 2017.

- Deprecated & Weak SHA-1 Algorithm In Use
**Description:**SHA-1 is known to have several practical & exploitable weaknesses.**Affected Algorithms:**- diffie-hellman-group14-sha1
- diffie-hellman-group-exchange-sha1
- hmac-sha1

**Solution:**Replace SHA-1 with SHA-256, SHA-384, or SHA-512**References:**- Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y., "The first collision for full SHA-1", <https://shattered.io/static/shattered.pdf>, Retrieved Jun. 1, 2017.
- Google, Inc., "Gradually sunsetting SHA-1", <https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html>, Published Sept. 5, 2014, Retrieved Jun. 1, 2017.

- Vulnerable Triple-DES Cipher Enabled
**Description:**Triple-DES has been deprecated and is vulnerable to the SWEET32 attack. In certain circumstances, this allows an eavesdropper to decrypt ciphertext.**Affected Algorithms:**- 3des-ctr
- 3des-cbc

**Solution:**Disable the Triple-DES cipher.**References:**- Bhargavan, K, Leurent, G., "On the Practical (In-)Security of 64-bit Block Ciphers", <https://sweet32.info/SWEET32_CCS16.pdf>, Published Oct. 2016, Retrieved Oct. 3, 2017.
- U.S. Department of Commerce, National Institute of Standards and Technology, "NIST Special Publication 800-131A Revision 1: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths", <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf>, pg 4, 5, Published Nov. 2015, Retrieved Jun. 1, 2017.

- Encrypt-And-MAC Algorithm Enabled
**Description:**Encrypt-and-mac algorithms are theoretically weaker than encrypt-then-mac (etm) algorithms with respect to chosen plaintext attacks, chosen ciphertext attacks, and non-malleability.**Affected Algorithms:**- hmac-sha2-512
- hmac-sha2-256

**Solution:**Disable the affected MACs.**References:**- Bellare, M., Namprempre, C., "Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm", <http://cseweb.ucsd.edu/~mihir/papers/oem.pdf>, pg. 5, Published Jul. 14, 2007, Retrieved Oct. 9, 2017.