Key Exchange :: Support Forum

ddremiere@oxya.com
Joined:: 2021-11-05
Posts:: 1
Location:: Kortrijk

Key Exchange

2021-11-05 11:10

Hi,
due to security requirements I have been asked to only use below KEX to connect to an SFTP site:

diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521

Following ones are refused:

diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
rsa1024-sha1

KEX names available in WinSCP (found for KEX parameter in https://winscp.net/eng/docs/rawsettings) are all with SHA-1 except ECDH.
But is it ECDH SHA-1 or SHA-2?

If SHA-1, it means I have to choose another SFTP ftp software, right?
Thx in advance
Regards
Daniel

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 42,204
Location:: Prague, Czechia

Re: Key Exchange

2021-11-08

WinSCP supports all four algorithms that you were asked to use:
https://winscp.net/eng/docs/ssh_algorithms

Reply with quote

Armin Guest

Limit the KEX options

2023-06-21 02:48

Is it possible to limit the KEX options?

Due the security reason they want to limit the KEX.

Reply with quote

martin◆ Site Admin

Re: Limit the KEX options

2023-06-22

@Armin: That's quite vague. Are you looking for this?
https://winscp.net/eng/docs/ui_login_kex
In any case, algorithms should primarily be restricted on the server-side.

Reply with quote

Armin Guest

2023-06-25 13:17

Hi Martin,

From what I understand WinSCP can support multiple KEX.
they want me to remove this options "diffie-hellman-group1-sha1"
Is that possible?

I just saw this post
How to use diffie-hellman-group-exchange-sha256 in the KEX=

Does it mean, we don't need to change it from the client side, only the server side need to decide which KEX that the server accept, am I right?

Reply with quote

martin◆ Site Admin

2023-06-26

@Armin: Well, I do not know what exactly are you trying to achieve. If you control both client(s) and the server, then indeed it's the server that should be configured not to allow the unwanted KEX in the first place.

Reply with quote

Guest

2023-06-26 13:09

Hi @Martin, for security reason I want to remove some of the KEX options that is available in WinSCP.

Oh I am sorry I forgot to mention that I am developing a .NET Application that use WinSCP library to connect to the SFTP Server.

I can add new KEX using AddRawSetting but I don't know how to remove the KEX options in the WinSCP Library.

So I assume it can only be done at server side. Is that correct?

Reply with quote

martin◆ Site Admin

2023-06-29

@Guest: In .NET assembly, if you configure particular KEX below/after the WARN, the assembly won't use the KEX (will rather fail the connection, if no KEX above/before WARN is supported by the server).
https://winscp.net/eng/docs/rawsettings#kex

Reply with quote

Armin Guest

2023-07-20 11:31

Hi Martin,

Apologize for the late respond, thanks for the help.

I already mentioned to the team that it is better to remove the KEX algorithm from the server side.

Reply with quote

Key Exchange

Key Exchange

Re: Key Exchange

Limit the KEX options

Re: Limit the KEX options

Documentation

Support

Associations

Follow Us