Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14746
Views
0
Helpful
5
Replies

Difference between MAC Algorithms:hmac-sha1 and hmac-sha1-96

Go to solution
GayanSamarakoon42284
Level 1
Level 1

‎03-15-2020 11:15 AM

Hi All,

Please let me know which SHA1 hashing algorithm is secure,

 

hmac-sha1 or hmac-sha1-96.

 

Which should i opt when performing SSH hardening.

 

Thank you.

Gayan.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to GayanSamarakoon42284

‎03-16-2020 05:49 AM

Hi,

 

      Hashing algorithms are as secure as the mathematical function is, while afterwards what matters is the bit length, bigger being preferred as it means less chances for collisions (multiple inputs ending up with the same hash output). SHA1-96 is the same thing as SHA1, both compute a 160 bit hash, it's just that SHA1-96 truncates and embeds a 96-bit hash value in the packet. SHA1-96 was really only an option designed to fix some issues with IPsec AH.

    So, at the end of the day, use the mainstream SHA1, as long as the other side (like your SSH client) supports it as well.

 

Regards,

Cristian Matei.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-15-2020 11:34 AM

below information may help you :

 

https://community.cisco.com/t5/security-documents/hmac/ta-p/3113602

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
GayanSamarakoon42284
Level 1
Level 1
In response to balaji.bandi

‎03-15-2020 10:15 PM

Hi BB,

 

I am aware that both HMAC-Sha1 or HMAC-Sha1-96 are variants of Sha1 algorithm when configuring SSH options. Please let me know which option should I use for SSH for better security.

 

Thank You,

Gayan  

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to GayanSamarakoon42284

‎03-16-2020 01:26 AM

i used most of the cases hmac-sha1. 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to GayanSamarakoon42284

‎03-16-2020 05:49 AM

Hi,

 

      Hashing algorithms are as secure as the mathematical function is, while afterwards what matters is the bit length, bigger being preferred as it means less chances for collisions (multiple inputs ending up with the same hash output). SHA1-96 is the same thing as SHA1, both compute a 160 bit hash, it's just that SHA1-96 truncates and embeds a 96-bit hash value in the packet. SHA1-96 was really only an option designed to fix some issues with IPsec AH.

    So, at the end of the day, use the mainstream SHA1, as long as the other side (like your SSH client) supports it as well.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
GayanSamarakoon42284
Level 1
Level 1

‎03-16-2020 09:40 AM

Hi Cristian Matei,

 

Thank you for the explonation.

 

Gayan

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents