cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
rajesh_s
Nickel

Disable CBC mode cipher encryption and enable CTR or GCM cipher mode

Jump to solution

In R77.30  i need  enable the CTR or GCM cipher mode  encryption instead of CBC cipher encryption, Please  some one help me to fix this issue.

1 Solution

Accepted Solutions
Admin
Admin

Re: Disable CBC mode cipher encryption and enable CTR or GCM cipher mode

Jump to solution

You can change the enabled SSH ciphers in the following files:

  • /etc/ssh/ssh_config
  • /etc/ssh/sshd_config

Look for the Ciphers line and remove the appropriate entries from that line.

Restart the ssh daemon with the command: service sshd restart 

10 Replies
Admin
Admin

Re: Disable CBC mode cipher encryption and enable CTR or GCM cipher mode

Jump to solution

Please clarify which part of the product you're asking about as there are several places that use these ciphers and the answer is different for each one.

0 Kudos
rajesh_s
Nickel

Re: Disable CBC mode cipher encryption and enable CTR or GCM cipher mode

Jump to solution

Hi Demeon,

Thanks for your response 

The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.

 

0 Kudos
Admin
Admin

Re: Disable CBC mode cipher encryption and enable CTR or GCM cipher mode

Jump to solution

You can change the enabled SSH ciphers in the following files:

  • /etc/ssh/ssh_config
  • /etc/ssh/sshd_config

Look for the Ciphers line and remove the appropriate entries from that line.

Restart the ssh daemon with the command: service sshd restart 

rajesh_s
Nickel

Re: Disable CBC mode cipher encryption and enable CTR or GCM cipher mode

Jump to solution

HI Demeon,

I found the chipper keys  " Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes2 "

That is only keys i found in ssh configuration, If i remove those keys, Will i able to access the gateway via ssh?.

0 Kudos
Admin
Admin

Re:  Disable CBC mode cipher encryption and enable CTR or GCM cipher mode

Jump to solution

Assuming you've got ciphers listed that are supported by your SSH client, yes. 

0 Kudos
Bryce_Myers
Nickel

Re: Disable CBC mode cipher encryption and enable CTR or GCM cipher mode

Jump to solution

Do you know of a way to modify this ciphers on Gaia Embedded?

0 Kudos
Admin
Admin

Re:  Disable CBC mode cipher encryption and enable CTR or GCM cipher mode

Jump to solution

Not that I'm aware of.

Re: Disable CBC mode cipher encryption and enable CTR or GCM cipher mode

Jump to solution
0 Kudos

Re: Disable CBC mode cipher encryption and enable CTR or GCM cipher mode

Jump to solution

R77.20.80 for Small and Medium Business Appliances removed unsafe ciphers/HMACs from SSH server supported ciphers/HMACs: hmac-sha1-96, hmac-md5.

Looks like the ciphers are compiled into the dropbear SSH server binary for Embedded systems!

Tags (2)
0 Kudos
rajesh_s
Nickel

Re: Disable CBC mode cipher encryption and enable CTR or GCM cipher mode

Jump to solution

 There was no ciphers key in sshd_config file, Just i had below mentioned cipher keys in sshd_config file.

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

MACs hmac-sha1,hmac-ripemd160.

Thanks a lot for your help.

0 Kudos