SSH Audit Results For test.host.io

F
Score: 43 / 100
Host Keys:2 of 6 passing (33%)
Key Exchanges:4 of 10 passing (40%)
Ciphers:13 of 15 passing (86%)
MACs:0 of 3 passing (0%)

Server Details

IP Address:
10.11.12.13
Banner:
SSH-2.0-OpenSSH_6.8
Fingerprint (ssh-ed25519):
SHA256:fdDIoFwEWSzYCkDeBYNZWYmXYMofsaNNzHb7p58aJV4
Fingerprint (ssh-rsa):
SHA256:K4mKS3/lqPYbhR/NAh3B2f1IMeHjQ7OCNvQvkpVvqpY

Host Key Types

ssh-ed25519
ecdsa-sha2-nistp256
  • NIST P-curves are possibly back-doored by the U.S. National Security Agency. Score reduced by 2.
rsa-sha2-512 (2048-bit)
  • A 3072-bit modulus is needed to provide 128 bits of security, but a 2048-bit modulus is in use. Score reduced by 1.
ssh-rsa-sha256@ssh.com
rsa-sha2-256 (2048-bit)
  • A 3072-bit modulus is needed to provide 128 bits of security, but a 2048-bit modulus is in use. Score reduced by 1.
ssh-rsa (2048-bit)
  • A 3072-bit modulus is needed to provide 128 bits of security, but a 2048-bit modulus is in use. Score reduced by 1.

Key Exchange Algorithms

curve25519-sha256@libssh.org
ecdh-sha2-nistp521
  • NIST P-curves are possibly back-doored by the U.S. National Security Agency. Score reduced by 2.
ecdh-sha2-nistp384
  • NIST P-curves are possibly back-doored by the U.S. National Security Agency. Score reduced by 2.
ecdh-sha2-nistp256
  • NIST P-curves are possibly back-doored by the U.S. National Security Agency. Score reduced by 2.
diffie-hellman-group16-sha512
diffie-hellman-group15-sha512
diffie-hellman-group-exchange-sha256 (1024-bit)
  • Small modulus in use (1024-bit). Score capped at 65.
diffie-hellman-group14-sha256
diffie-hellman-group14-sha1
  • SHA-1 has exploitable weaknesses. Score reduced by 2.
diffie-hellman-group-exchange-sha1 (1024-bit)
  • SHA-1 has exploitable weaknesses. Small modulus in use (1024-bit). Score reduced by 3.

Encryption Ciphers

aes256-ctr
aes256-cbc
aes192-ctr
aes192-cbc
aes128-ctr
aes128-cbc
twofish256-ctr
twofish192-ctr
twofish128-ctr
twofish256-cbc
twofish192-cbc
twofish128-cbc
twofish-cbc
3des-ctr
  • 3DES is vulnerable to the SWEET32 attack. Score reduced by 1.
3des-cbc
  • 3DES is vulnerable to the SWEET32 attack. Score reduced by 1.

Message Authentication Codes

hmac-sha2-512
  • Uses encrypt-and-MAC method. Score reduced by 1.
hmac-sha2-256
  • Uses encrypt-and-MAC method. Score reduced by 1.
hmac-sha1
  • SHA-1 has exploitable weaknesses. Score reduced by 2.

Findings & References

  1. Possibly Compromised NIST P-Curves In Use
    Description: The NIST P-curves are strongly suspected by some as being back-doored by the NSA.
    Affected Algorithms:
    • ecdsa-sha2-nistp256
    • ecdh-sha2-nistp521
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp256
    Solution: Replace ECDSA host keys with RSA and/or ED25519 host keys. Replace ECDH key exchange algorithms with traditional Diffie-Hellman algorithms and/or the Curve25519 algorithm.
    References:
    • Bernstein, D., Lange, T., "SafeCurves: choosing safe curves for elliptic-curve cryptography", <https://safecurves.cr.yp.to/>, Published 2014, Retrieved Oct. 3, 2017.
  2. Deprecated & Weak SHA-1 Algorithm In Use
    Description: SHA-1 is known to have several practical & exploitable weaknesses.
    Affected Algorithms:
    • diffie-hellman-group14-sha1
    • diffie-hellman-group-exchange-sha1
    • hmac-sha1
    Solution: Replace SHA-1 with SHA-256, SHA-384, or SHA-512
    References:
  3. Vulnerable Triple-DES Cipher Enabled
    Description: Triple-DES has been deprecated and is vulnerable to the SWEET32 attack. In certain circumstances, this allows an eavesdropper to decrypt ciphertext.
    Affected Algorithms:
    • 3des-ctr
    • 3des-cbc
    Solution: Disable the Triple-DES cipher.
    References:
  4. Encrypt-And-MAC Algorithm Enabled
    Description: Encrypt-and-mac algorithms are theoretically weaker than encrypt-then-mac (etm) algorithms with respect to chosen plaintext attacks, chosen ciphertext attacks, and non-malleability.
    Affected Algorithms:
    • hmac-sha2-512
    • hmac-sha2-256
    Solution: Disable the affected MACs.
    References:
    • Bellare, M., Namprempre, C., "Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm", <http://cseweb.ucsd.edu/~mihir/papers/oem.pdf>, pg. 5, Published Jul. 14, 2007, Retrieved Oct. 9, 2017.