Support of MAC algorithm in WinSCP

Advertisement

Guest

Support of MAC algorithm in WinSCP

My client need to harden the MAC algorithm use for the connection, by disallowing "hmac-sha2-256-etm@openssh.com" while allowing "hmac-sha2-256". Checked the link https://winscp.net/eng/docs/ssh_algorithms, and use the command WinSCP /info, the MAC algorithm supported are listed below
SSH MAC algorithms:
hmac-sha2-256 (hmac-sha2-256-etm@openssh.com)
hmac-sha2-512 (hmac-sha2-512-etm@openssh.com)
hmac-sha1 (hmac-sha1-etm@openssh.com)
hmac-sha1-96 (hmac-sha1-96-etm@openssh.com)
hmac-md5 (hmac-md5-etm@openssh.com)
My questions are:
  1. Are "hmac-sha2-256" and "hmac-sha2-256-etm@openssh.com" 2 distinct (but related?) algorithms?
  2. From the above table, does the item "hmac-sha2-256 (hmac-sha2-256-etm@openssh.com)" mean "hmac-sha2-256" and "hmac-sha2-256-etm@openssh.com" are both supported, instead of support "hmac-sha2-256" in form of "hmac-sha2-256-etm@openssh.com"?
  3. Checked from the log for the MAC algorithm in use and found "Initialised HMAC-SHA-256 outbound MAC algorithm". What does this mean? Does it mean support "hmac-sha-256", "hmac-sha2-256", or others?
  4. Found from post that the MAC algorithm is not configurable in WinSCP (https://winscp.net/forum/viewtopic.php?t=25983), is this still true? Is the MAC algorithm to be used are negotiable during the connection with the client that we cannot enforcedly to specify which one must be used?

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,454
Location:
Prague, Czechia

Re: Support of MAC algorithm in WinSCP

  1. Yes, distinct, but related
  2. Yes, both are supported
  3. SHA-256 and SHA2-256 are the same thing
  4. MAC algorithms are not configurable – disable them of the server, if you do not want to use them
What's wrong with ETM?

Reply with quote

hsyam
Joined:
Posts:
2

Re: Support of MAC algorithm in WinSCP

My service provider requests to disable some and only allow use some algorithm as below.

Algorithms to disable
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512-etm@openssh.com
  • hmac-sha2-256-etm
Algorithms allow
  • hmac-sha256
  • hmac-sha256@ssh.com
  • hmac-sha2-256

  1. From the log "Initialised HMAC-SHA-256 outbound MAC algorithm", can we know "hmac-sha2-256" or "hmac-sha2-256-etm@openssh.com" is in use?
  2. As from the log "Initialised HMAC-SHA-256 outbound MAC algorithm", we would conclude either "hmac-sha2-256" or "hmac-sha2-256-etm@openssh.com" must be in use. In case "hmac-sha2-256-etm@openssh.com" is disabled while "hmac-sha2-256" is kept by the provider, should "hmac-sha2-256" automatically be used on my side?
  3. Is ETM version more secure? i.e., "hmac-sha2-256-etm@openssh.com" is better than "hmac-sha2-256"?

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,454
Location:
Prague, Czechia

Re: Support of MAC algorithm in WinSCP

The "service provider" does not tell us anything, about what does the "provider" have to do with the connection. Do they run the server?

If ETM variant is in use, the message would say:
Initialised HMAC-SHA-256 outbound MAC algorithm (in ETM mode)

Of course, when the ETM is disabled by the server, WinSCP won't (cannot) use it.

And yes, ETM is MORE SECURE.

Reply with quote

hsyam
Joined:
Posts:
2

Re: Support of MAC algorithm in WinSCP

The background is we exchange file with a bank and they requested us to update the MAC algorithm as above.

martin wrote:

If ETM variant is in use, the message would say:
Initialised HMAC-SHA-256 outbound MAC algorithm (in ETM mode)
So "Initialised HMAC-SHA-256 outbound MAC algorithm" should mean "hmac-sha2-256" is in use?

And yes, ETM is MORE SECURE.
I googled and also found this conclusion, so I do not know why they allow "hmac-sha2-256" while disallow "hmac-sha2-256-etm@openssh.com"

Reply with quote

Advertisement

You can post new topics in this forum