DH key exchange and ECDH principleTime 2013-06-24 18:50:55 csdn Blogsimilar articles (0) original http://blog.csdn.net/sudochen/article/details/9164427 let's take Alice and Bob as an example to describe the principle of Diffie-hellman key exchange. all participants involved in the 1,diffie-hellman Exchange process define a group in which a large prime number p, base g, is defined. 2,diffie-hellman Key Exchange is a two-part process, both Alice and
Release date: 2011-09-06Updated on: 2011-09-06
Affected Systems:OpenSSL Project OpenSSL 1.xDescription:--------------------------------------------------------------------------------Cve id: CVE-2011-3207, CVE-2011-3210
OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is widely used in various network applications.
OpenSSL has the CRL bypass and ECDH denial of service vulnerability
OpenSSL anonymous ECDH Denial of Service Vulnerability (CVE-2014-3470)
Release date:Updated on: 2014-06-06
Affected Systems:OpenSSL Project OpenSSL OpenSSL Project OpenSSL OpenSSL Project OpenSSL Description:--------------------------------------------------------------------------------Bugtraq id: 67898CVE (CAN) ID: CVE-2014-3470OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is wide
Website SSL vulnerability repair Guide
Some time ago, I scanned the company's website and used the awvs scanner. I found several SSL vulnerabilities. I found some repair suggestions on the Internet and shared them with you, if you encounter the same problem as me, you can use this solution.
The SSL vulnerabilities of Web sites mainly include the following:
1. SSL RC4 Cipher Suites Supported
2. SSL Weak Cipher Suites Supported
3. The FREAK attack (export cipher suites supported)
4. The POODLE ata
security level as RSA with a smaller prime number (256 bits). The disadvantage is that the algorithm is complex and the history of the key exchange is not long, and it has not been tested for long time security attack.
ECDH: PFS is not supported, security is low, and false start cannot be implemented.
DHE: ECC is not supported. Consumes CPU resources very much.
It is recommended that RSA and Ecdh_rsa key exchange algorithms be supported
(256 bits). The disadvantage is that the algorithm is complex and the history of the key exchange is not long, and it has not been tested for long time security attack.
ECDH: PFS is not supported, security is low, and false start cannot be implemented.
DHE: ECC is not supported. Consumes CPU resources very much.
It is recommended that RSA and Ecdh_rsa key exchange algorithms be supported first. The reasons are:1, ECDHE supports ECC accel
these encryption programs:Aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-Gcm@openssh.com, chacha20-poly1305@openssh.comSsh client prompt: Server responded "Algorithm negotiation failed"Key exchange with the remote host failed. This can happenExample computer does not support the selected algorthms.
-------------------------------------------
The problem has been solved. Modify the ssh configuration file/etc/ssh/sshd_config.Add the following in the configuration file:Ciphe
algorithms. They are characterized by the following:
RSA: The algorithm is simple, born in 1977, has a long history, after a lengthy break test, high security. The disadvantage is that it takes a large number of primes (currently 2048-bit) to ensure security intensity and consumes CPU computing resources. RSA is currently the only algorithm that can be used for both key exchange and certificate signing.
Dh:diffie-hellman key exchange algorithm, the birth time is earlier (1977), bu
Hudson.model.Executor.run (executor.java:240)Finished:failure
Reason Analysis:
Unlike the exchange algorithms supported by OpenSSH and Jsch, one side is required to open the Exchange algorithm supported by the other.
OpenSSH enables only the following key exchange algorithms by default:-curve25519-sha256@libssh.org-ecdh-sha2-nistp256-ecdh-sha2-nistp384-ecdh-s
-------------------------------------To set the root administrator account password:sudo passwd rootEnter the normal user password and then modify it.After the change, log out with rootTo install Remote services:$ sudo apt-get install Openssh-server$ sudo/etc/init.d/ssh RestartCheck Service Status:Systemctl--failedServer responded "algorithm negotiation faild." cannot be remote,Vi/etc/ssh/sshd_configFinally, add the following information:Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192
locations ca-base/etc/ssl/certs crt-base/etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers (1SSL ). this list is from :# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ Ssl-default-bind-ciphers ECDH + AESGCM: DH + AESGCM: ECDH + AES256: DH + AES256: ECDH + AES128: DH + AES:
get (get) your name /images/logo.png of the document, my face cache last modified time is 20161201
B: This document has not been modified, you just use the cache as good (304)
A: I'll send you a copy of the document (POST), which you store in it /upload/file.jpg , the content is xxxxxx
B: OK, the resources are created (201)
Can see the HTTP1.1 version of the request is basically in the simulation of human dialogue, a response to the two sides to exchange data.HTTP/2 multiplexin
IANA and is assigned a two-byte flag. All Ciphersuite can be viewed on the IANA TLS Cipher Suite Registry page.All ciphersuite supported by the OpenSSL library can be viewed with the following commands:# openssl ciphers -V0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD1,0XC0,0X30 is the ciphersuite number, which is used in the SSL handshake.2,ecdhe-rsa-aes256-gcm-sha384 is the name of the cryptographic sui
the 192.168.1.112 machine, you need to enter a password.② Client Mode:2. Problems and SolutionsSSH Client report algorithm negotiation failed one of the workaroundsModify the sshd configuration file/etc/ssh/sshd_configIn the configuration file, add:Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256, Arcfour,blowfish-cbc,cast128-cbcmacs Hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,hmac-sha1-96, Hmac-md5-96kexalgorithms DIFFIE-HELLMAN-G
Ubuntu 16.04 When you install Openssh-server, you may be able to report this error when you connect using an SSH client, as shown in the following scenario:
Server responded "algorithm negotiation failed"
Modify the server-side SSH configuration file, directory:/etc/ssh/sshd_config, enter the following command to editsudo vi/etc/ssh/sshd_configToggle edit mode (i), set parametersPasswordauthentication YesAdd at the end of the configuration file
Ciphers aes128-cbc,aes192-cb
Hint Error: Server responded "algorithm negotiation failed"Workaround:Modify the SSH configuration file/etc/ssh/sshd_config fileAdd the following code at the end:Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256, arcfour,blowfish-cbc,cast128-cbcmacs hmac-md5,hmac-sha1,umac-@openssh. com,hmac-ripemd160, hmac-sha1-, hmac-md5-kexalgorithms Diffie-hellman-group1-sha1, DIFFIE-HELLMAN-GROUP14-SHA1,DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA1,DIFFIE-HELLMAN-
error message:Com.jcraft.jsch.JSchException:Algorithm Negotiation FailProblem Analysis:The sshd configuration does not open an algorithm that supports Jsch jar requirements, the default open algorithm can be seen in the man sshd_config, it is possible that the advanced version of sshd turns off some of the algorithms by default (version 7.5 has this problem).Hash algorithm view: Ssh-q macKEX algorithm view: Ssh-q KEXTransfer encryption Algorithm view: Ssh-q cipherThe above command to see the alg
root 4.0K 7 06:38 PicturesDrwxr-xr-x 2 root root 4.0K 7 06:38 public-rw-r--r--. 1 root root 358 1 08:07 redhat.repo_bakDrwxr-xr-x 2 root root 4.0K 7 06:38 TemplatesDrwxr-xr-x 2 root root 4.0K 7 06:38 VideosMkdir-p/agentChown-r oracle:oinstall/agentOther:Note: Since the host has made SSH remote restrictions, it is necessary to modify the monitoring server and all monitored hosts the following parameter files:Vi/etc/ssh/sshd_configAdd the following:Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.