PuTTY wish hmac-sha2-512

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Pre-release · Snapshot | Docs | Privacy | Changes | Wishlist

summary: Support for HMAC-SHA-512 in SSH-2
class: wish: This is a request for an enhancement.
difficulty: fun: Just needs tuits, and not many of them.
priority: low: We aren't sure whether to fix this or not.
fixed-in: b77e98551336b8025b75a13354348d29a740a2b9 f6f984846577d573b922d1d2dbe4393b21a6eb9f (0.79)

RFC 6668 specifies two new MAC algorithms for SSH-2. PuTTY has support for HMAC-SHA-256 (called "hmac-sha2-256" in the protocol), but does not have support for the optional HMAC-SHA-512 ("hmac-sha2-512").

It would be simple enough to add support for HMAC-SHA-512, but this would gain practically nothing. HMAC-SHA-256 has an effective security of 256 bits, the same as the best of PuTTY's key-exchange algorithms. Any attacker able to break SHA-256 can simply extract the MAC key by reversing the key exchange, so using HMAC-SHA-512 is pointless. Adding it would come with costs in code size and complexity and in expansion of PuTTY's KEXINIT packet and while small, these costs outweigh the negligible benefits.

2023-04-24: however, we heard recently of an SSH server being configured to accept nothing else, so if people are going to do that (though I'm still not sure why) it seems worth supporting. Also, we now have a fallback workaround for anyone finding our KEXINIT is too long, so that risk of adding more algorithms is mitigated.


If you want to comment on this web site, see the Feedback page.
Audit trail for this wish.
(last revision of this bug record was at 2023-04-24 15:41:18 +0100)