cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
3423
Views
0
Helpful
5
Replies
Highlighted

Difference between MAC Algorithms:hmac-sha1 and hmac-sha1-96

Hi All,

Please let me know which SHA1 hashing algorithm is secure,

 

hmac-sha1 or hmac-sha1-96.

 

Which should i opt when performing SSH hardening.

 

Thank you.

Gayan.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hi,

 

      Hashing algorithms are as secure as the mathematical function is, while afterwards what matters is the bit length, bigger being preferred as it means less chances for collisions (multiple inputs ending up with the same hash output). SHA1-96 is the same thing as SHA1, both compute a 160 bit hash, it's just that SHA1-96 truncates and embeds a 96-bit hash value in the packet. SHA1-96 was really only an option designed to fix some issues with IPsec AH.

    So, at the end of the day, use the mainstream SHA1, as long as the other side (like your SSH client) supports it as well.

 

Regards,

Cristian Matei.

View solution in original post

5 REPLIES 5
Highlighted
VIP Expert

below information may help you :

 

https://community.cisco.com/t5/security-documents/hmac/ta-p/3113602

 

 



BB


*** Rate All Helpful Responses ***

Highlighted

Hi BB,

 

I am aware that both HMAC-Sha1 or HMAC-Sha1-96 are variants of Sha1 algorithm when configuring SSH options. Please let me know which option should I use for SSH for better security.

 

Thank You,

Gayan  

Highlighted

i used most of the cases hmac-sha1. 



BB


*** Rate All Helpful Responses ***

Highlighted

Hi,

 

      Hashing algorithms are as secure as the mathematical function is, while afterwards what matters is the bit length, bigger being preferred as it means less chances for collisions (multiple inputs ending up with the same hash output). SHA1-96 is the same thing as SHA1, both compute a 160 bit hash, it's just that SHA1-96 truncates and embeds a 96-bit hash value in the packet. SHA1-96 was really only an option designed to fix some issues with IPsec AH.

    So, at the end of the day, use the mainstream SHA1, as long as the other side (like your SSH client) supports it as well.

 

Regards,

Cristian Matei.

View solution in original post

Highlighted

Hi Cristian Matei,

 

Thank you for the explonation.

 

Gayan

 

 

Content for Community-Ad