Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
975
Views
1
Helpful
4
Replies

Cisco ISE sshd encryption-algorithm choices & OpenSSH

dynaB
Level 1
Level 1

‎10-22-2024 03:41 AM

Hi,

In the following Cisco ISE guide it is stated the four encryption-algorithm options supported for the sshd service are: aes128-cbc, aes256-cbc, aes128-ctr, aes128-ctr. However, I read somewhere Cisco ISE's ssh functionality is based on the OpenSSH library. Current OpenSSH versions offer more than those four choices

OpenSSH: the supported ciphers are

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

OpenSSH: the default is

chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com

I wonder if any of the @openssh.com choices would be able to be used for Cisco ISE as well, on its current state.

Cheers,

0 Helpful
4 Replies 4

Aref Alsouqi
VIP
VIP

‎10-22-2024 04:23 AM

As of version 3.3 the algorithms shown in this link seem to be the only ones supported:

Cisco Identity Services Engine CLI Reference Guide, Release 3.3 - Cisco ISE CLI Commands in Configuration Mode [Cisco Identity Services Engine] - Cisco

I'm not sure though if TAC team via ISE root shell could enable more algorithms or not. I think it's worth check with TAC about this.

0 Helpful

Arne Bier
VIP
VIP

‎10-22-2024 05:41 PM

@dynaB may I ask why you're looking for additional SSH encryption algorithms in ISE?  Is there an issue with the ones that we have available? I haven't studied the pros and cons of all of these - just curious.

0 Helpful

dynaB
Level 1
Level 1

‎10-24-2024 04:02 AM

@Arne Bier So far there shouldn't be a problem with the encryption algorithms using CTR since it goes accompanied with authentication via a MAC, and CBC is still supported to this day even if not as a default in some libraries (openssh, for example) due to other options (CTR in this case) being considered more secure. These two options also seem more widespread than GCM.

However, supporting GCM as well could be an attractive option. Without trying to sound too preachy, it is a form of authenticated encryption - it encrypts via using a variant of CTR, while having a built-in integrity check, thus forgoing the need for a MAC found in the current options. Overall, GCM is considered a faster (due to integrating authentication within the encryption process rather than separated) and safer option to implement (it is only one implementation rather than two; less concern is raised with making encryption side and authentication side compatible with each other).

An aspect to consider is that current SSH options for GCM (and Chacha20Poly1305, offering a similar functionality) are defined by openssh itself, based on RFC 5647 (SSH follows its corresponding IETF RFCs as standard). Hence why they are accompanied with the @openssh.com tag. This in principle shouldn't be a problem since the differing factor from the standard is a matter of functionality within OpenSSH, fixing an existing issue.

Cheers,

Arne Bier
VIP
VIP

‎10-24-2024 11:52 PM

It's good to get one's head around these things, because it's not obvious at first glance. 

0 Helpful
Customers Also Viewed These Support Documents